Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
setup.msi

Overview

General Information

Sample name:setup.msi
Analysis ID:1576619
MD5:0ff7380978d99a4cc05437261753a4f9
SHA1:b889c0ba4a260c0769c440154d578ab1619b54de
SHA256:db2b39529dfcab48614eddb8d5ef60416e8d74d6f05cfcf3a945ae25832d67df
Tags:ateramsiuser-TimeRaptor
Infos:

Detection

AteraAgent
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Yara detected AteraAgent
AI detected suspicious sample
Creates files in the system32 config directory
Installs Task Scheduler Managed Wrapper
Queries disk data (e.g. SMART data)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates COM task schedule object (often to register a task for autostart)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
Is looking for software installed on the system
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the product ID of Windows
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores large binary data to the registry
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • msiexec.exe (PID: 3328 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • msiexec.exe (PID: 1908 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 5840 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D70D155C234AB8AF4B72048C7B356A69 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 2516 cmdline: rundll32.exe "C:\Windows\Installer\MSI6CCA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681015 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7188 cmdline: rundll32.exe "C:\Windows\Installer\MSI6F8A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7296 cmdline: rundll32.exe "C:\Windows\Installer\MSI85C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4687312 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7988 cmdline: rundll32.exe "C:\Windows\Installer\MSIA98C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4696484 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7360 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding D5B63FD359B1E19FF9D4B0B8436ED48E E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7396 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7444 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 7468 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 7556 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="irina-pyankova1574@cyberia.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OMeCIIA1" /AgentId="9242d891-5551-462a-a31d-e7fa704b4ae1" MD5: 477293F80461713D51A98A24023D45E8)
    • msiexec.exe (PID: 4944 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 08676A301D1865B6D18C209455EE8F01 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 3720 cmdline: rundll32.exe "C:\Windows\Installer\MSIB494.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4764937 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
  • AteraAgent.exe (PID: 7740 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 7872 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7268 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1 MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7280 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7184 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1 MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7192 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 5596 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OMeCIIA1 MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7840 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OMeCIIA1 MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7612 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 7620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7696 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageSTRemote.exe (PID: 6012 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OMeCIIA1 MD5: 67FEF41237025021CD4F792E8C24E95A)
      • conhost.exe (PID: 5788 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 8000 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1 MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 8016 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 7500 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 5448 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 7668 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 7140 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1 MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 7160 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7196 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OMeCIIA1 MD5: 83FD950ED584099A4125EFBA77E26BAA)
      • conhost.exe (PID: 7240 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7328 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
        • conhost.exe (PID: 4476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cscript.exe (PID: 7336 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)
    • AgentPackageUpgradeAgent.exe (PID: 7644 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OMeCIIA1 MD5: E9794F785780945D2DDE78520B9BB59F)
      • conhost.exe (PID: 2472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • msiexec.exe (PID: 7996 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)
    • AgentPackageTicketing.exe (PID: 7128 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OMeCIIA1 MD5: DB1DB66EBD9B15B7DCD55374EA56EE5E)
      • conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageMonitoring.exe (PID: 5212 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OMeCIIA1 MD5: 5E3252E0248B484E76FCDBF8B42A645D)
      • conhost.exe (PID: 5168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageOsUpdates.exe (PID: 8028 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OMeCIIA1 MD5: CDE6BA86139AE458ABC24DAD31A66465)
      • conhost.exe (PID: 5700 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageInternalPoller.exe (PID: 3740 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OMeCIIA1 MD5: 01807774F043028EC29982A62FA75941)
      • conhost.exe (PID: 3104 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • sppsvc.exe (PID: 4040 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • svchost.exe (PID: 1136 cmdline: C:\Windows\System32\svchost.exe -k smphost MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • AgentPackageUpgradeAgent.exe (PID: 1056 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: E9794F785780945D2DDE78520B9BB59F)
    • conhost.exe (PID: 1236 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF9CB02A1CDB19CD90.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
        C:\Windows\Temp\~DFDFE05222FB56D641.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Temp\~DFA6F35F9524476E30.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 70 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            0000002C.00000002.2507664137.0000026BDEA80000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              00000034.00000002.2994977412.000001A5DFBA5000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000016.00000002.2072331976.0000029D3C9F3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000036.00000002.2710784303.000001E28A020000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    0000001F.00000002.2211125948.000002440CC50000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 360 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      47.0.AgentPackageUpgradeAgent.exe.21946f00000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        56.2.AgentPackageOsUpdates.exe.208f9b00000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          52.2.AgentPackageTicketing.exe.1a5df4b0000.2.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            35.0.AgentPackageSTRemote.exe.239e3240000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                              12.0.AteraAgent.exe.2358a2d0000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                                Click to see the 11 entries

                                Sigma Signatures

                                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                                Source: Process startedAuthor: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7612, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7696, ProcessName: cscript.exe
                                Sigma detected: Net.exe Execution
                                Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D5B63FD359B1E19FF9D4B0B8436ED48E E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7360, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7396, ProcessName: net.exe
                                Sigma detected: Stop Windows Service Via Net.EXE
                                Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding D5B63FD359B1E19FF9D4B0B8436ED48E E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7360, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7396, ProcessName: net.exe
                                Sigma detected: Windows Processes Suspicious Parent Directory
                                Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k smphost, CommandLine: C:\Windows\System32\svchost.exe -k smphost, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k smphost, ProcessId: 1136, ProcessName: svchost.exe

                                Suricata Signatures

                                No Suricata rule has matched

                                Joe Sandbox Signatures

                                Click to jump to signature section

                                Show All Signature Results

                                AV Detection

                                barindex
                                Multi AV Scanner detection for dropped file
                                Source: 476b79.rbf (copy)ReversingLabs: Detection: 26%
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                                Multi AV Scanner detection for submitted file
                                Source: setup.msiVirustotal: Detection: 20%Perma Link
                                Source: setup.msiReversingLabs: Detection: 26%
                                AI detected suspicious sample
                                Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.3% probability
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5064DE0 CryptReleaseContext,37_2_00007FFDF5064DE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5064E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,37_2_00007FFDF5064E20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5064BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,37_2_00007FFDF5064BC0
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.2255057739.000002223BCB2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2738686546.00000208FACD1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000016.00000002.2072237433.0000029D3C8A2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2992789220.000001A5DF4B2000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2254244604.000002223B742000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650091310.000002396E8A2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650741452.000002396EB92000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2738686546.00000208FACBB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000038.00000002.2707813433.00000208F9B02000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ib.pdbA source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: lib.pdbJ"`J source: AgentPackageSTRemote.exe, 00000023.00000002.3043471622.00000239FC400000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2719627470.00000208FA792000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: ib.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2738686546.00000208FACD1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000000.2569497839.000002396D6A2000.00000002.00000001.01000000.0000002E.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: System.Buffers.dll.26.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2459674086.000001587FD02000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2459674086.000001587FD02000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2256918494.000002223BD82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2255057739.000002223BCB2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2837805640.000002195FFC2000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb0 source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000034.00000000.2502364341.000001A5DF042000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2837805640.000002195FFC2000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000038.00000000.2548562734.00000208F9692000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650741452.000002396EB92000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: em.pdb source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000038.00000002.2719627470.00000208FA792000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.2254244604.000002223B742000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000016.00000002.2072237433.0000029D3C8A2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2723586863.00000208FA7E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2723586863.00000208FA8C6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1873421889.00000235A47D2000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2707813433.00000208F9B02000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1873421889.00000235A47D2000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650091310.000002396E8A2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdbY source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbpZ source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000034.00000000.2502364341.000001A5DF042000.00000002.00000001.01000000.0000002A.sdmp
                                Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                                Source: C:\Windows\System32\cscript.exeFile opened: c:
                                Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1A44h12_2_00007FFD9B3E187E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1FFFh12_2_00007FFD9B3E187E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1FFFh12_2_00007FFD9B3E1EB6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1FFFh12_2_00007FFD9B3E1E88
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1FFFh12_2_00007FFD9B3E1E7E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E1873h12_2_00007FFD9B3E0C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E227Bh12_2_00007FFD9B3E0C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B404ECBh13_2_00007FFD9B404E5C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B3E4ECBh26_2_00007FFD9B3E4E6B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then dec eax26_2_00007FFD9B5F1F53
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B5F4000h26_2_00007FFD9B5F3E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFD9B5F56A9h26_2_00007FFD9B5F55FA

                                Networking

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Yara detected Generic Downloader
                                Source: Yara matchFile source: 52.2.AgentPackageTicketing.exe.1a5df490000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.1b2eb900000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.9/AGENT.PACKAGE.WATCHDOG.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867217000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.3/AGENTPACKAGEAGENTINFORMATI
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.6/AGENTPACKAGEMARKETPLACE.ZIP
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/26.5/AGENTPACKAGEPROGRAMMANAGE
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIP
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/27.11/AGENTPACKAGESYSTEMTOOLS.ZIP
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
                                Source: AteraAgent.exe, 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://acontrol.atera.com/
                                Source: rundll32.exe, 00000004.00000002.1783660722.00000000048F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586766A000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004645000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280199000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CB19000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152002BD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223C34C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274569C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FFB7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28ADE6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000002.2618275203.000002390012C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFDC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.nuget.org
                                Source: rundll32.exe, 00000004.00000002.1783660722.00000000048F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004645000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280199000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CB19000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152002BD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223C34C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274569C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FFB7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28ADE6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF05000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000002.2618275203.000002390012C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219479DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2073417612.000001B2ECB79000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.
                                Source: AteraAgent.exe, 0000000D.00000002.2451895454.000001587FA36000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C68B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                                Source: AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C68B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCer
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2652584802.0000026E231A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp, System.Threading.Tasks.dll.26.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2420C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2797332651.0000026E3C21F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2813212061.0000026E3C5FD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt6.
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2810273399.0000026E3C2F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2797332651.0000026E3C245000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587FA36000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073417612.000001B2ECAF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D5535F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D55345000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6A6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crcrosoft.com/pki/crl/products/MicCerL
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D55371000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoftFu
                                Source: AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D55345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.veris
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/$v#
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredI
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2652584802.0000026E231A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp, System.Threading.Tasks.dll.26.dr, Pubnub.dll0.1.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1873178796.00000235A4783000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1873335608.00000235A47C2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1873309094.00000235A47BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1873178796.00000235A47AE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000A1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256T:
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2810273399.0000026E3C2F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2797332651.0000026E3C245000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960362000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1873178796.00000235A47AE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: System.Buffers.dll.26.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl23
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                                Source: AteraAgent.exe, 0000000C.00000002.1873933138.00000235A4A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1873178796.00000235A4773000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crl
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2420C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2797332651.0000026E3C21F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2813212061.0000026E3C5FD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl3
                                Source: AteraAgent.exe, 0000000C.00000002.1873178796.00000235A47AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlb
                                Source: AteraAgent.exe, 0000000C.00000002.1873178796.00000235A4783000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crleight
                                Source: AteraAgent.exe, 0000000C.00000002.1873335608.00000235A47C2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlg
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/l
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                                Source: AteraAgent.exe, 0000000C.00000002.1873933138.00000235A4A90000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFDC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cs2.wpc.gammacdn.net
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabF
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enL
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2426E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
                                Source: AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmpString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C8E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://download.splashtop.com
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208801DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gig-ai-prod-weur-0-app-v4-tag.westeurope.cloudapp.azure.com
                                Source: rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
                                Source: rundll32.exe, 00000011.00000002.1937322674.0000000007029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://microsoft.coj
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C54000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://my.splashtop.com
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/dummynamespace/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/3
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/5
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://nlog-project.org/ws/T
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1873309094.00000235A47BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800583000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/Pv/
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000CC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587FA36000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073417612.000001B2ECAF0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073417612.000001B2ECB79000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D5535F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D55345000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2652584802.0000026E231A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp, System.Threading.Tasks.dll.26.drString found in binary or memory: http://ocsp.digicert.com0C
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0K
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0N
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0O
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2810273399.0000026E3C2F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6A6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2797332651.0000026E3C245000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960362000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A4741000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F9C5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2811041613.0000026E3C5C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                                Source: AteraAgent.exe, 0000000D.00000002.2451895454.000001587FA26000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl/
                                Source: AteraAgent.exe, 0000001A.00000002.2816336025.0000026E3C653000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl4
                                Source: AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C68B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digice~
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219479DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://pki.digidentity.eu/validatie0
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2426E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                                Source: AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                                Source: AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                                Source: AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                                Source: rundll32.exe, 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.000002088019E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000002.2618275203.0000023900020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWARE
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208801DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://westeurope-5.in.applicationinsights.azure.com
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org
                                Source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                                Source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/news/
                                Source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://wixtoolset.org/releases/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2254599365.000002223BC62000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.abit.com.tw/
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.acabogacia.org/doc0
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800580000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ancert.com/cps0
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.anf.es/AC/RC/ocsp0c
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ca.posta.rs/dokumentacija0h
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.000001580020E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.cert.fnmt.es/dpcs/0
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.00000158000DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-bt0
                                Source: AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.datev.de/zertifikat-policy-int0
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.c
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2420C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23D17000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1872955223.00000235A475A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.00000158000E2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580008C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                                Source: AteraAgent.exe, 0000000D.00000002.2390790974.0000015800542000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ecee.gov.pt/dpc0
                                Source: rundll32.exe, 00000011.00000002.1937322674.0000000007029000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.
                                Source: AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                                Source: AteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                                Source: rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                                Source: rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDf
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200095000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com
                                Source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Prh
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200095000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                                Source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867130000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867104000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867130000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                                Source: AgentPackageInternalPoller.exe, 0000003D.00000002.2618275203.0000023900020000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/9242d891-5551-462a-a31d-e7fa704b4
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200095000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCo
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
                                Source: AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/9242d891-5551-462a-a31d-e7fa704b4ae1
                                Source: rundll32.exe, 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                                Source: rundll32.exe, 00000004.00000002.1783660722.0000000004916000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004666000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgent
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/monitoring/v1/MonitoringPackage/AddAgentMetrics
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFDB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.nuget.org
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFBCC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkg
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://crl.anf.es/AC/ANFServerCA.crl0
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitor
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/X
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://dc.services.visualstudio.com/f
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/pcq
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://dc.services.visualstudio.com8
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C79000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C79000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C54000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C75000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exe
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2719627470.00000208FA792000.00000002.00000001.01000000.0000003A.sdmpString found in binary or memory: https://github.com/App-vNext/Polly.git
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.000002088019E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://github.com/Microsoft/ApplicationInsights-dotnet
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                                Source: System.Buffers.dll.26.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, System.Buffers.dll.26.drString found in binary or memory: https://github.com/dotnet/corefx/tree/7601f4f6225089ffb291dc7d58293c7bbf5c5d4f8
                                Source: AteraAgent.exe, 0000000D.00000002.2459674086.000001587FD02000.00000002.00000001.01000000.00000027.sdmpString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                                Source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650741452.000002396EB92000.00000002.00000001.01000000.00000035.sdmpString found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://github.com/microsoft/ApplicationInsights-dotnet/issues/2560
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://monitor.azure.com//.default
                                Source: AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com
                                Source: AgentPackageSTRemote.exe, 00000023.00000000.2140448017.00000239E3242000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://my.splashtop.com/csrs/win
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2266195665.0000022254938000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://nlog-project.org/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://profiler.monitor.azure.com/l
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/p
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://profiler.monitor.azure.com/pcq
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.ateH
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/a
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/ag
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackage
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674AB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAge
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.6/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.3/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesne
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availa
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?jnWPUc
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?jnWPUcORQ/
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.3/AgentPackageAgentInformati
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?jnWPUc
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?jnWP
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?jnWPU
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/30.2/AgentPackageOsUpdates.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.5/AgentPackageProgramManage
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.zip?jnWPUcORQ
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziph
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zip?jn
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip?jnWPUcO
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip?j
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Mac/
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmpString found in binary or memory: https://ps.atera.com/installers/Agents/Windows/
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkg
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFBCC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgX
                                Source: AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000000.2140448017.00000239E3242000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://ps.atera.com/translations/TicketingTray/
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=5f4d89dc-509f-4fea-a20b-6d7705e5e82f
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7a7bfdcc-bebc-4182-a9e4-04acc3bb7bf1
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=8cd8035c-2af9-4bcc-b5e0-1e88507da077
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a5fd113e-6197-4e15-a459-6d094af70b09
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b4829a1e-7abe-483e-95c6-bc05ffcf1c59
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d8618dba-15cf-4762-be3e-107003045f24
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e9b1d095-e139-4efd-a94d-94277451b3e3
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ch
                                Source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/9242d891
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/9242d891-5551-462a-a31d
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.0000015867130000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.coms
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://rt.services.visualstudio.com/l
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/p
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://rt.services.visualstudio.com/pcq
                                Source: AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmpString found in binary or memory: https://setup-app-resolver.atera.com
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/&
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://snapshot.monitor.azure.com/p
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2264723090.0000022254704000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://system.data.sqlite.org/X
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmpString found in binary or memory: https://urn.to/r/sds_see
                                Source: AteraAgent.exe, 0000000D.00000002.2390790974.0000015800555000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://web.certicamara.com/marco-legal0Z
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.co
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.000002088019E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000038.00000000.2548562734.00000208F9692000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/api/profiles/
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/pcq
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/v2/track
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/
                                Source: AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://westeurope.livediagnostics.monitor.azure.com/pcq
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ACTAS/789230
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/AC/ANFServerCA.crl0
                                Source: AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.anf.es/address/)1(0&
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/json
                                Source: rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2266195665.0000022254938000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpString found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
                                Source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                                Source: AgentPackageMonitoring.exeString found in binary or memory: https://www.sqlite.org/copyright.html
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2278399117.00007FFDF51F4000.00000002.00000001.01000000.0000001C.sdmpString found in binary or memory: https://www.sqlite.org/copyright.html2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                                Spam, unwanted Advertisements and Ransom Demands

                                barindex
                                Reads the Security eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                                Reads the System eventlog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\476b72.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CCA.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F8A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI85C2.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AD4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AE5.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B63.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C6E.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\476b74.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\476b74.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA98C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\476b75.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB494.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB4C.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC85D.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID118.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID148.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2DF.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID419.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEB7A.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEBF8.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIECC4.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED52.tmpJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\476b81.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\476b81.msiJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF448.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\CustomAction.configJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-Jump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\System.Management.dllJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\CustomAction.configJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\CustomAction.config
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\Newtonsoft.Json.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\System.Management.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\CustomAction.config
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSI6CCA.tmpJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_3_06B800404_3_06B80040
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_070D59A85_3_070D59A8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_070D50B85_3_070D50B8
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 5_3_070D4D685_3_070D4D68
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3E336812_2_00007FFD9B3E3368
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3E605812_2_00007FFD9B3E6058
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3E57E812_2_00007FFD9B3E57E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3EC99E12_2_00007FFD9B3EC99E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3E187E12_2_00007FFD9B3E187E
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3EBBEE12_2_00007FFD9B3EBBEE
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3E0C8912_2_00007FFD9B3E0C89
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B4D085312_2_00007FFD9B4D0853
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3E0C1D12_2_00007FFD9B3E0C1D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B40CFB813_2_00007FFD9B40CFB8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B409AF213_2_00007FFD9B409AF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B411D4813_2_00007FFD9B411D48
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B411CE013_2_00007FFD9B411CE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6252AD13_2_00007FFD9B6252AD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B61189513_2_00007FFD9B611895
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B61693C13_2_00007FFD9B61693C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6252A813_2_00007FFD9B6252A8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B62529013_2_00007FFD9B625290
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B61268313_2_00007FFD9B612683
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B61470613_2_00007FFD9B614706
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_06AC004017_3_06AC0040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F11BD20_2_00007FFD9B3F11BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E795620_2_00007FFD9B3E7956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E195320_2_00007FFD9B3E1953
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F211820_2_00007FFD9B3F2118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E870220_2_00007FFD9B3E8702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B40057D20_2_00007FFD9B40057D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E745920_2_00007FFD9B3E7459
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E12FB20_2_00007FFD9B3E12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F11D320_2_00007FFD9B3F11D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F0ED820_2_00007FFD9B3F0ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E16FA20_2_00007FFD9B3E16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F0E3C20_2_00007FFD9B3F0E3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B4011BD22_2_00007FFD9B4011BD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F795622_2_00007FFD9B3F7956
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B40211822_2_00007FFD9B402118
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F870222_2_00007FFD9B3F8702
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F12FB22_2_00007FFD9B3F12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B4011D322_2_00007FFD9B4011D3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B400ED822_2_00007FFD9B400ED8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3FBEE022_2_00007FFD9B3FBEE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F16FA22_2_00007FFD9B3F16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B400DBA22_2_00007FFD9B400DBA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F12FB24_2_00007FFD9B3F12FB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F16FA24_2_00007FFD9B3F16FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3ED3E826_2_00007FFD9B3ED3E8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3FD20826_2_00007FFD9B3FD208
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3F93F626_2_00007FFD9B3F93F6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3EA08026_2_00007FFD9B3EA080
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3F1D7826_2_00007FFD9B3F1D78
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3F1D1026_2_00007FFD9B3F1D10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F137426_2_00007FFD9B5F1374
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B5F9D1B26_2_00007FFD9B5F9D1B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40897629_2_00007FFD9B408976
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B410EB329_2_00007FFD9B410EB3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B4012FA29_2_00007FFD9B4012FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40D1DD29_2_00007FFD9B40D1DD
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40972229_2_00007FFD9B409722
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40C4D129_2_00007FFD9B40C4D1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B4204F029_2_00007FFD9B4204F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B403BF229_2_00007FFD9B403BF2
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B415D3A29_2_00007FFD9B415D3A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B41D44029_2_00007FFD9B41D440
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B40073029_2_00007FFD9B400730
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFD9B4016FA29_2_00007FFD9B4016FA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3D17A035_2_00007FFD9B3D17A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F172935_2_00007FFD9B3F1729
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3E174D35_2_00007FFD9B3E174D
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3D356835_2_00007FFD9B3D3568
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F2CA035_2_00007FFD9B3F2CA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3E84C035_2_00007FFD9B3E84C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3F1C2635_2_00007FFD9B3F1C26
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3E528835_2_00007FFD9B3E5288
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeCode function: 35_2_00007FFD9B3E531835_2_00007FFD9B3E5318
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50DB88037_2_00007FFDF50DB880
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51901E037_2_00007FFDF51901E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51820E037_2_00007FFDF51820E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF518696037_2_00007FFDF5186960
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505D63437_2_00007FFDF505D634
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509F63037_2_00007FFDF509F630
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50BB64737_2_00007FFDF50BB647
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF506564037_2_00007FFDF5065640
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505347437_2_00007FFDF5053474
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50574B037_2_00007FFDF50574B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505955C37_2_00007FFDF505955C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509D77037_2_00007FFDF509D770
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF519F79037_2_00007FFDF519F790
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50AF78037_2_00007FFDF50AF780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF506D83037_2_00007FFDF506D830
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51A184037_2_00007FFDF51A1840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50F169037_2_00007FFDF50F1690
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51456D037_2_00007FFDF51456D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50C36E037_2_00007FFDF50C36E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50F772037_2_00007FFDF50F7720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50E917037_2_00007FFDF50E9170
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50511B037_2_00007FFDF50511B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50BF1B037_2_00007FFDF50BF1B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF516320037_2_00007FFDF5163200
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50CF22037_2_00007FFDF50CF220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51850F037_2_00007FFDF51850F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50EB37037_2_00007FFDF50EB370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50793D037_2_00007FFDF50793D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF512F3E037_2_00007FFDF512F3E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505D28437_2_00007FFDF505D284
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50ED35037_2_00007FFDF50ED350
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505F34037_2_00007FFDF505F340
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5083E1037_2_00007FFDF5083E10
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5065E5037_2_00007FFDF5065E50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF512DCC037_2_00007FFDF512DCC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF513BCD037_2_00007FFDF513BCD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5099CF037_2_00007FFDF5099CF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5127D2037_2_00007FFDF5127D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5097E7037_2_00007FFDF5097E70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50D3EB037_2_00007FFDF50D3EB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5105EA037_2_00007FFDF5105EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50F7EA037_2_00007FFDF50F7EA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50EFED037_2_00007FFDF50EFED0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5057EC037_2_00007FFDF5057EC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50AFEF037_2_00007FFDF50AFEF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5067F3037_2_00007FFDF5067F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5089F3037_2_00007FFDF5089F30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50E5F2037_2_00007FFDF50E5F20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50BB9F037_2_00007FFDF50BB9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50B18DA37_2_00007FFDF50B18DA
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF507D91037_2_00007FFDF507D910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF513DB8037_2_00007FFDF513DB80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5099BA037_2_00007FFDF5099BA0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF507BBE037_2_00007FFDF507BBE0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5193C2037_2_00007FFDF5193C20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5089A6037_2_00007FFDF5089A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5107A6037_2_00007FFDF5107A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5085AD037_2_00007FFDF5085AD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50F3AF037_2_00007FFDF50F3AF0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50B7B3037_2_00007FFDF50B7B30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF513659037_2_00007FFDF5136590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF510E59037_2_00007FFDF510E590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF510A5D037_2_00007FFDF510A5D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51705D037_2_00007FFDF51705D0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50585D437_2_00007FFDF50585D4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF518E5B037_2_00007FFDF518E5B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50D060037_2_00007FFDF50D0600
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50B64A037_2_00007FFDF50B64A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50644DC37_2_00007FFDF50644DC
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50A051037_2_00007FFDF50A0510
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505A52437_2_00007FFDF505A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50D455037_2_00007FFDF50D4550
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50EA7E037_2_00007FFDF50EA7E0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505E80C37_2_00007FFDF505E80C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF518C68037_2_00007FFDF518C680
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF506273837_2_00007FFDF5062738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF506E72037_2_00007FFDF506E720
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF510C22037_2_00007FFDF510C220
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50C224037_2_00007FFDF50C2240
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50F40A037_2_00007FFDF50F40A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50EA0C037_2_00007FFDF50EA0C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50DC11037_2_00007FFDF50DC110
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50F22B037_2_00007FFDF50F22B0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50FA2F037_2_00007FFDF50FA2F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF511831037_2_00007FFDF5118310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF507231037_2_00007FFDF5072310
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF507033037_2_00007FFDF5070330
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF518CD6037_2_00007FFDF518CD60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5054DB437_2_00007FFDF5054DB4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50B0E3037_2_00007FFDF50B0E30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5184C8037_2_00007FFDF5184C80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509ACD037_2_00007FFDF509ACD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5066CC037_2_00007FFDF5066CC0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50C4D0037_2_00007FFDF50C4D00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50D6D2037_2_00007FFDF50D6D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5118D2037_2_00007FFDF5118D20
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF51A0D3037_2_00007FFDF51A0D30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5062F8C37_2_00007FFDF5062F8C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509AFB037_2_00007FFDF509AFB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50EEFD037_2_00007FFDF50EEFD0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509902037_2_00007FFDF5099020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF507CE7037_2_00007FFDF507CE70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505CEA837_2_00007FFDF505CEA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50AE99037_2_00007FFDF50AE990
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5058A3C37_2_00007FFDF5058A3C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF506886037_2_00007FFDF5068860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF511686037_2_00007FFDF5116860
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50A88A037_2_00007FFDF50A88A0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50528C037_2_00007FFDF50528C0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF514691037_2_00007FFDF5146910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50A8B9037_2_00007FFDF50A8B90
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50FCC0037_2_00007FFDF50FCC00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5098A6037_2_00007FFDF5098A60
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF511AA7037_2_00007FFDF511AA70
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5076A8037_2_00007FFDF5076A80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF513AB0037_2_00007FFDF513AB00
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50CCB5037_2_00007FFDF50CCB50
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B40BD6137_2_00007FFD9B40BD61
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B405D0F37_2_00007FFD9B405D0F
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B40D12637_2_00007FFD9B40D126
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B6231C637_2_00007FFD9B6231C6
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B622AEB37_2_00007FFD9B622AEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B62EFA837_2_00007FFD9B62EFA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B62604337_2_00007FFD9B626043
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B62ACF837_2_00007FFD9B62ACF8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B7247A537_2_00007FFD9B7247A5
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B734D1737_2_00007FFD9B734D17
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B733C7137_2_00007FFD9B733C71
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B730D1537_2_00007FFD9B730D15
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B73CDB037_2_00007FFD9B73CDB0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B7F359037_2_00007FFD9B7F3590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B7FF44337_2_00007FFD9B7FF443
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B7FF37837_2_00007FFD9B7FF378
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B7F4EA837_2_00007FFD9B7F4EA8
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B8031F037_2_00007FFD9B8031F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B808C9B37_2_00007FFD9B808C9B
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B9ABB9837_2_00007FFD9B9ABB98
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B9A3F4C37_2_00007FFD9B9A3F4C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B9902D737_2_00007FFD9B9902D7
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B99A1F037_2_00007FFD9B99A1F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B99C92837_2_00007FFD9B99C928
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFD9B9A3F8037_2_00007FFD9B9A3F80
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF51A1D30 appears 114 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF51A1B70 appears 102 times
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: String function: 00007FFDF51A06B0 appears 145 times
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.csCryptographic APIs: 'TransformBlock'
                                Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.csCryptographic APIs: 'TransformBlock'
                                Source: AteraAgent.exe.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: AteraAgent.exe0.1.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                                Source: classification engineClassification label: mal100.troj.spyw.evad.winMSI@103/435@0/11
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7160:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5700:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7484:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1236:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7880:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackageosupdates_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5168:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7620:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7404:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7280:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7240:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_ISABUS.HTP.Method
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2472:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3104:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4476:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: NULL
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5788:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7668:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7860:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMutant created: \BaseNamedObjects\NLogMutexTester
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\NLog-FileFileArchiveLock-c:_program files (x86)_atera networks_ateraagent_packages_agentpackagemonitoring_log.txt
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3900:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7192:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMutant created: \BaseNamedObjects\Global\Access_PCI
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
                                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7476:120:WilError_03
                                Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8016:120:WilError_03
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMutant created: \BaseNamedObjects\Global\ServerDevicesFileLock
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF02FCC3B492CAA10B.TMPJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6CCA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681015 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223C37B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.00000227456CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF64000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO StatisticsSendTime (Timestamp) Values (@timestamp);
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AE19000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2266312927.0000022255535000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223C37B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.00000227456CD000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
                                Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28B0ED000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;
                                Source: setup.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                                Source: setup.msiVirustotal: Detection: 20%
                                Source: setup.msiReversingLabs: Detection: 26%
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D70D155C234AB8AF4B72048C7B356A69
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6CCA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681015 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6F8A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI85C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4687312 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D5B63FD359B1E19FF9D4B0B8436ED48E E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="irina-pyankova1574@cyberia.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OMeCIIA1" /AgentId="9242d891-5551-462a-a31d-e7fa704b4ae1"
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA98C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4696484 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 08676A301D1865B6D18C209455EE8F01 E Global\MSI0000
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB494.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4764937 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D70D155C234AB8AF4B72048C7B356A69Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding D5B63FD359B1E19FF9D4B0B8436ED48E E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="irina-pyankova1574@cyberia.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OMeCIIA1" /AgentId="9242d891-5551-462a-a31d-e7fa704b4ae1"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 08676A301D1865B6D18C209455EE8F01 E Global\MSI0000Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6CCA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681015 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6F8A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI85C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4687312 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA98C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4696484 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIB494.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4764937 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dll
                                Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
                                Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wscapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: urlmon.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iertutil.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: srvcli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: netutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wtsapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winsta.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: devobj.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: napinsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: pnrpnsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wshbth.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: nlaapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winrnr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: version.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: kernel.appcore.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: sxs.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: vbscript.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: amsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: userenv.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: profapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wldp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msasn1.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptsp.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: rsaenh.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptbase.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: msisip.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wshext.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrobj.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: gpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: cryptnet.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: iphlpapi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: winnsi.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: mpr.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: scrrun.dll
                                Source: C:\Windows\System32\cscript.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: wbemcomn.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: amsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: userenv.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: schannel.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: mskeyprotect.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ntasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncrypt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: ncryptsslp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeSection loaded: gpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mscoree.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: apphelp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: kernel.appcore.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: version.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: vcruntime140_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ucrtbase_clr0400.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: windows.storage.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: wldp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: profapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptsp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rsaenh.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: cryptbase.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: iphlpapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dnsapi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc6.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: dhcpcsvc.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winnsi.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: msasn1.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasapi32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasman.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rtutils.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: mswsock.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: winhttp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: ondemandconnroutehelper.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: rasadhlp.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: fwpuclnt.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: secur32.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: sspicli.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeSection loaded: schannel.dll
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA NetworksJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgentJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.configJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeDirectory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to behavior
                                Source: C:\Windows\System32\msiexec.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}Jump to behavior
                                Source: setup.msiStatic file information: File size 2994176 > 1048576
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000025.00000002.2255057739.000002223BCB2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: /_/obj/Release/Microsoft.ApplicationInsights/net46/Microsoft.ApplicationInsights.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmp
                                Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2738686546.00000208FACD1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000016.00000002.2072237433.0000029D3C8A2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2992789220.000001A5DF4B2000.00000002.00000001.01000000.00000044.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbd source: AgentPackageUpgradeAgent.exe, 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Threading.Tasks\4.0.11.0\System.Threading.Tasks.pdb source: System.Threading.Tasks.dll.26.dr
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2254244604.000002223B742000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650091310.000002396E8A2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650741452.000002396EB92000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2738686546.00000208FACBB000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp
                                Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb] source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb!_;_ -__CorDllMainmscoree.dll source: AgentPackageOsUpdates.exe, 00000038.00000002.2707813433.00000208F9B02000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: ib.pdbA source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: lib.pdbJ"`J source: AgentPackageSTRemote.exe, 00000023.00000002.3043471622.00000239FC400000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2719627470.00000208FA792000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: ib.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2738686546.00000208FACD1000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000000.2569497839.000002396D6A2000.00000002.00000001.01000000.0000002E.sdmp
                                Source: Binary string: E:\A\_work\156\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.Buffers\netfx\System.Buffers.pdb source: System.Buffers.dll.26.dr
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.2459674086.000001587FD02000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.2459674086.000001587FD02000.00000002.00000001.01000000.00000027.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2256918494.000002223BD82000.00000002.00000001.01000000.00000021.sdmp
                                Source: Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmp
                                Source: Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2255057739.000002223BCB2000.00000002.00000001.01000000.00000020.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmp
                                Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\582\s\bin\obj\ref\System.Dynamic.Runtime\4.0.11.0\System.Dynamic.Runtime.pdb source: System.Dynamic.Runtime.dll.26.dr
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2837805640.000002195FFC2000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb0 source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdbTlnl `l_CorExeMainmscoree.dll source: AgentPackageTicketing.exe, 00000034.00000000.2502364341.000001A5DF042000.00000002.00000001.01000000.0000002A.sdmp
                                Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2837805640.000002195FFC2000.00000002.00000001.01000000.00000041.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates\obj\Release\AgentPackageOsUpdates.pdb source: AgentPackageOsUpdates.exe, 00000038.00000000.2548562734.00000208F9692000.00000002.00000001.01000000.0000002B.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp
                                Source: Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650741452.000002396EB92000.00000002.00000001.01000000.00000035.sdmp
                                Source: Binary string: em.pdb source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/src/Polly/obj/Release/net461/Polly.pdbSHA256I5 source: AgentPackageOsUpdates.exe, 00000038.00000002.2719627470.00000208FA792000.00000002.00000001.01000000.0000003A.sdmp
                                Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000025.00000002.2254244604.000002223B742000.00000002.00000001.01000000.0000001E.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000016.00000002.2072237433.0000029D3C8A2000.00000002.00000001.01000000.00000018.sdmp
                                Source: Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: mscorlib.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2723586863.00000208FA7E0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2723586863.00000208FA8C6000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2278008815.00007FFDF51AA000.00000002.00000001.01000000.0000001C.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1873421889.00000235A47D2000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: D:\a\1\s\AgentPackageOsUpdates\AgentPackageOsUpdates.Common\obj\Release\AgentPackageOsUpdates.Common.pdb source: AgentPackageOsUpdates.exe, 00000038.00000002.2707813433.00000208F9B02000.00000002.00000001.01000000.00000036.sdmp
                                Source: Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1873421889.00000235A47D2000.00000002.00000001.01000000.00000011.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2851854154.0000021960350000.00000004.00000020.00020000.00000000.sdmp, Pubnub.dll0.1.dr
                                Source: Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmp
                                Source: Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 0000003D.00000002.2650091310.000002396E8A2000.00000002.00000001.01000000.00000032.sdmp
                                Source: Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdbY source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp
                                Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256^Y source: AteraAgent.exe, 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp
                                Source: Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbpZ source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp
                                Source: Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AgentPackageTicketing.exe, 00000034.00000000.2502364341.000001A5DF042000.00000002.00000001.01000000.0000002A.sdmp
                                Source: BouncyCastle.Crypto.dll.1.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5061910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFDF5061910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 12_2_00007FFD9B3ED45B push cs; retf 12_2_00007FFD9B3ED465
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B61180C push eax; ret 13_2_00007FFD9B611824
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B6102C1 push eax; ret 13_2_00007FFD9B6102E4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B610AF1 push eax; ret 13_2_00007FFD9B610B14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B625587 push edx; iretd 13_2_00007FFD9B6255DB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 13_2_00007FFD9B615E2A push eax; ret 13_2_00007FFD9B615EB4
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E57B8 push es; ret 17_3_069E5840
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E4E90 push es; ret 17_3_069E4EA0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E6BF1 push es; ret 17_3_069E6C00
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E6880 push es; ret 17_3_069E6890
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069ED1A1 push es; ret 17_3_069ED1B0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069EDDC0 push es; ret 17_3_069EDDD0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E5890 push es; ret 17_3_069E58A0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E58B0 push es; ret 17_3_069E58C0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E58D3 push es; ret 17_3_069E58E0
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E58F0 push es; ret 17_3_069E5940
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E5850 push es; ret 17_3_069E5860
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E5870 push es; ret 17_3_069E5880
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_069E5953 push es; ret 17_3_069E5960
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_06AC4ECF push dword ptr [esp+ecx*2-75h]; ret 17_3_06AC4ED3
                                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_3_06AC18F0 push es; ret 17_3_06AC1900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3F7969 push ebx; retf 20_2_00007FFD9B3F796A
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 20_2_00007FFD9B3E00BD pushad ; iretd 20_2_00007FFD9B3E00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 22_2_00007FFD9B3F00BD pushad ; iretd 22_2_00007FFD9B3F00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 24_2_00007FFD9B3F00BD pushad ; iretd 24_2_00007FFD9B3F00C1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3ECB5F push FFFFFFE8h; retf 26_2_00007FFD9B3ECEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3EA080 push FFFFFFE8h; retf 26_2_00007FFD9B3ECEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3EC930 push FFFFFFE8h; retf 26_2_00007FFD9B3ECEF1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3EA64A push eax; retf 26_2_00007FFD9B3EA661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3EA650 push eax; retf 26_2_00007FFD9B3EA661
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 26_2_00007FFD9B3F2DFA push FFFFFFE8h; retf 26_2_00007FFD9B3F2EF1

                                Persistence and Installation Behavior

                                barindex
                                Creates files in the system32 config directory
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C6E.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF448.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 476b7f.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 476b7e.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B63.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 476b79.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB494.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIECC4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AE5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB4C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED52.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID148.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F8A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 476b7b.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 476b7c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: 476b7d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI85C2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID419.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2DF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CCA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA98C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEBF8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC85D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIB494.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8C6E.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI85C2.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIF448.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID2DF.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6CCA.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeFile created: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIA98C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIECC4.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8AE5.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI8B63.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIED52.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIEBF8.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIBB4C.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID148.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC85D.tmpJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSID419.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI6F8A.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIA98C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI6F8A.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
                                Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\AteraSetupLog.txt

                                Boot Survival

                                barindex
                                Installs Task Scheduler Managed Wrapper
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,37_2_00007FFDF505A524
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                                Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                                Malware Analysis System Evasion

                                barindex
                                Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID=&quot;\\\\.\\PHYSICALDRIVE0&quot;} where resultclass = Win32_DiskPartition
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent=&quot;Win32_DiskDrive.DeviceID=\&quot;\\\\\\\\.\\\\PHYSICALDRIVE0\&quot;&quot;
                                Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                                Queries sensitive service information (via WMI, MSSMBios_RawSMBiosTables, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\WMI : SELECT * FROM MSSMBios_RawSMBiosTables
                                Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select DisplayName,Name,Started,State from Win32_Service where Name=&apos;MSExchangeIS&apos; OR DisplayName=&apos;MSExchangeIS&apos;
                                Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #0&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #0\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #1&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #1\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : associators of {\\user-PC\root\CIMV2:Win32_DiskPartition.DeviceID=&quot;Disk #0, Partition #2&quot;} where resultclass = Win32_LogicalDisk
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select * from Win32_LogicalDiskToPartition where Antecedent=&quot;Win32_DiskPartition.DeviceID=\&quot;Disk #0, Partition #2\&quot;&quot;
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
                                Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 2358BDE0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 235A4010000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 15866BA0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1587F080000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1B2EBC50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 1B2EC320000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 29D3C650000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 29D54980000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 241BA360000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 241D29D0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 26E234A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 26E3B990000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 15269280000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 15269460000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 239E37F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeMemory allocated: 239FBAB0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2223B6B0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 22253DD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 22744A50000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 2275D120000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 2224FC90000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 22267E80000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 21947250000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 2195F8A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1E1F76C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeMemory allocated: 1E1F78A0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1A5DF370000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeMemory allocated: 1A5F7A30000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1E28A250000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeMemory allocated: 1E2A29F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 208F98F0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeMemory allocated: 208FA080000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 2396DAD0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeMemory allocated: 2396E0C0000 memory reserve | memory write watch
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599654
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599544
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599324
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598341
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598013
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597555
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597442
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596327
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595553
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595311
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599889
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599540
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599294
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598744
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598504
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597763
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597504
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595920
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595799
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595452
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593869
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599846
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599514
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599246
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599102
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598759
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598516
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598403
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598283
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598041
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597587
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596667
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596507
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596382
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596247
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596108
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595979
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595166
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595026
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594916
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594806
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594571
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594102
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593988
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593864
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593604
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593460
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593333
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592678
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592420
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591701
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591461
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590675
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590554
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3397
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 1904
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 7602
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 6239
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 3625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 4978
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeWindow / User API: threadDelayed 4840
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3794
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 3018
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 2469
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 4248
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWindow / User API: threadDelayed 1319
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 6638
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeWindow / User API: threadDelayed 3014
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 7611
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWindow / User API: threadDelayed 1947
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 4347
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeWindow / User API: threadDelayed 1635
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F8A.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8C6E.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F8A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIF448.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 476b7f.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 476b7e.rbf (copy)Jump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CCA.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI85C2.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA98C.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI85C2.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8B63.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA98C.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB494.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB494.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeDropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIECC4.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI8AE5.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIBB4C.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIED52.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID148.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F8A.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 476b7b.rbf (copy)Jump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 476b7c.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: 476b7d.rbf (copy)Jump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA98C.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI85C2.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI85C2.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB494.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CCA.tmp-\System.Management.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID419.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CCA.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exeJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSID2DF.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6CCA.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exeJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIA98C.tmpJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIB494.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIEBF8.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                                Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC85D.tmpJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dllJump to dropped file
                                Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI6F8A.tmp-\Newtonsoft.Json.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dllJump to dropped file
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeRegistry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 7256Thread sleep time: -30000s >= -30000sJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7636Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7580Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7796Thread sleep count: 3397 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7788Thread sleep count: 6219 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8064Thread sleep count: 32 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8064Thread sleep time: -29514790517935264s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8064Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8100Thread sleep time: -120000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8112Thread sleep time: -3689348814741908s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8096Thread sleep time: -180000s >= -30000s
                                Source: C:\Windows\SysWOW64\rundll32.exe TID: 8052Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7440Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7292Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7456Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7336Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7400Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7468Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7624Thread sleep count: 1904 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7624Thread sleep count: 7602 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7876Thread sleep count: 36 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7876Thread sleep time: -33204139332677172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7876Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7792Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7564Thread sleep time: -2767011611056431s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7904Thread sleep time: -90000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7636Thread sleep count: 6239 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7636Thread sleep count: 3625 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep count: 33 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -30437127721620741s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599875s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599654s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599544s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599324s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599216s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -599109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598999s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598780s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598559s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598341s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598124s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -598013s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -597900s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -597555s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -597442s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -597312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -597202s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -597093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596874s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596546s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596327s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -596109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595999s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595890s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595780s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595553s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595421s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595311s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595203s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1004Thread sleep time: -595020s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep count: 41 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -37815825351104557s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8044Thread sleep count: 4978 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599889s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8044Thread sleep count: 4840 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599765s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599540s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599419s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599294s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -599078s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598969s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598859s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598744s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598625s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598504s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598216s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -598093s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597984s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597873s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597763s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597504s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597375s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597266s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597141s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -597031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596590s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596484s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596370s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596250s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596140s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -596031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595920s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595799s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595672s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595561s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595452s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595219s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595109s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -595000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594891s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594779s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594671s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594451s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -594125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -593999s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 8060Thread sleep time: -593869s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1832Thread sleep count: 3794 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7380Thread sleep time: -20291418481080494s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7380Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3452Thread sleep count: 3018 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7368Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7976Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6720Thread sleep count: 2469 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7780Thread sleep time: -14757395258967632s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7780Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6792Thread sleep count: 4248 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7804Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 6576Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7320Thread sleep count: 1319 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7348Thread sleep count: 244 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7080Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7408Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3052Thread sleep time: -60000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 7508Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3352Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3284Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5940Thread sleep count: 6638 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -27670116110564310s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -600000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -599846s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -599656s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -599514s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -599391s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -599246s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -599102s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598937s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598759s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598641s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 5940Thread sleep count: 3014 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598516s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598403s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598283s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598156s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -598041s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597703s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597587s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597453s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597218s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -597031s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596900s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596779s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596667s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596507s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596382s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596247s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -596108s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595979s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595852s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595719s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595562s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595359s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595166s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -595026s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594916s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594806s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594687s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594571s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594449s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594343s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -594102s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593988s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593864s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593738s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593604s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593460s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593333s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593187s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -593047s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592678s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592547s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592420s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592312s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592172s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -592040s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591922s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591812s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591701s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591594s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591461s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591344s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591234s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591125s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -591015s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -590906s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -590797s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -590675s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -590554s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4812Thread sleep time: -590437s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2488Thread sleep count: 7611 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2284Thread sleep time: -25825441703193356s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2284Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2488Thread sleep count: 1947 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 7724Thread sleep count: 4347 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 7376Thread sleep time: -9223372036854770s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 1704Thread sleep count: 1635 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 7900Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe TID: 1668Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 3128Thread sleep count: 296 > 30
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 6260Thread sleep time: -30000s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 4324Thread sleep time: -922337203685477s >= -30000s
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile opened: PhysicalDrive0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_ComputerSystem
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeFile Volume queried: C:\ FullSizeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599875
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599654
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599544
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599324
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 599109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598559
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598341
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598124
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 598013
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597555
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597442
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597202
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 597093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596874
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596546
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596327
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 596109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595890
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595780
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595553
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595421
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595311
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595203
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 595020
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599889
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599765
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599540
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599419
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599294
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 599078
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598969
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598859
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598744
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598625
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598504
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598216
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 598093
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597984
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597873
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597763
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597504
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597375
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597266
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597141
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596590
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596484
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596370
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596250
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596140
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 596031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595920
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595799
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595672
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595561
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595452
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595219
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595109
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 595000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594891
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594671
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594451
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 594125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593999
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeThread delayed: delay time: 593869
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 600000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599846
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599656
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599514
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599391
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599246
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 599102
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598937
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598759
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598641
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598516
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598403
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598283
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598156
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 598041
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597703
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597587
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597453
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597218
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 597031
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596900
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596779
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596667
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596507
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596382
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596247
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 596108
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595979
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595852
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595719
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595562
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595359
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595166
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 595026
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594916
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594806
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594687
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594571
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594449
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594343
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 594102
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593988
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593864
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593738
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593604
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593460
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593333
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593187
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 593047
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592678
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592547
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592420
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592312
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592172
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 592040
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591922
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591812
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591701
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591594
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591461
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591344
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591234
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591125
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 591015
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590906
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590797
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590675
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590554
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeThread delayed: delay time: 590437
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeThread delayed: delay time: 30000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeThread delayed: delay time: 922337203685477
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-CheckSumValid.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Format-FileSize.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariableNames.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-EnvironmentVariable.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyUnzip.ps1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeFile opened: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-ChocolateyWebFile.ps1
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service0
                                Source: svchost.exe, 00000027.00000003.2522640580.000001467EB44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2616454383.00000222686A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped2
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped.
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 6VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
                                Source: svchost.exe, 00000027.00000002.2979176678.000001467E800000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk6000C2942FCE4D06663969F532E45D1A0VMwareVirtual disk
                                Source: AteraAgent.exe, 0000000C.00000002.1873178796.00000235A4773000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM2
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357856647.0000015269E43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}"6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AteraAgent.exe, 0000000C.00000002.1873178796.00000235A47AE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2451895454.000001587F9C5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.2
                                Source: AteraAgent.exe, 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWen-GBn
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
                                Source: svchost.exe, 00000027.00000003.2522640580.000001467EB44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Virtual disk
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2579705714.000002224F762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2355929789.0000015269C52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicshutdownvmicshutdownStoppedp
                                Source: AgentPackageAgentInformation.exe, 00000014.00000002.2073417612.000001B2ECB43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllII
                                Source: AgentPackageAgentInformation.exe, 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmpBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                                Source: svchost.exe, 00000027.00000002.2979793044.000001467E869000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVirtual disk2.06000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C2942FCE4D06663969F532E45D1A
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service0
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicshutdown
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2355929789.0000015269C52000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                                Source: svchost.exe, 00000027.00000002.2979643228.000001467E852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: JSetPropValue.Manufacturer("VMware");
                                Source: AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IsVirtualMachine
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VM
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,1
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicvss
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2579705714.000002224F762000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedH
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface0
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA IIES1371
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Volume Shadow Copy Requestor0
                                Source: AgentPackageUpgradeAgent.exe, 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllRO
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2616454383.00000222686A0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Data Exchange Service
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Service Interface
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmicheartbeat
                                Source: svchost.exe, 00000027.00000002.2979643228.000001467E852000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual R
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped8~
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357856647.0000015269E43000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[[#
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -Hyper-V Remote Desktop Virtualization Service0
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2356421287.0000015269C8D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServicevmicvssvmicvssStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: "Win32_Service.Name="vmicheartbeat"p^
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStoppedqM
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Time Synchronization Service
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Guest Shutdown Service0
                                Source: AgentPackageMonitoring.exe, 00000028.00000002.2419891016.000002275D8B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW'
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware, Inc.NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0VMware20,1
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,12
                                Source: AteraAgent.exe, 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II
                                Source: rundll32.exe, 00000004.00000002.1782441357.000000000290D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935049131.00000000028C0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D552C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2797332651.0000026E3C245000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.3043471622.00000239FC400000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2263051148.0000022254606000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2625057638.00000222687D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2723586863.00000208FA8C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000002.2643606210.000002396E780000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                                Source: AgentPackageTicketing.exe, 00000034.00000002.3205015389.000001A5F8270000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll__
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2616454383.00000222686A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
                                Source: AteraAgent.exe, 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2253887131.000002223B6E2000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmpBinary or memory string: get_IsVirtualMachine
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Win32_Service.Name="vmicvss"p^
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2357201801.0000015269CE4000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2622078923.000002226874A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V PowerShell Direct Service
                                Source: svchost.exe, 00000027.00000002.2979503696.000001467E82B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware, Inc.VMware20,1NoneVMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0nSS @
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Win32_Service.Name="vmicshutdown"p^
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $Hyper-V Time Synchronization Service0
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Inc.NoneVMwarep/
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwarep/
                                Source: AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Heartbeat Service0
                                Source: svchost.exe, 00000027.00000002.2980561721.000001467E8B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SetPropValue.FriendlyName("VMware Virtual disk");
                                Source: svchost.exe, 00000027.00000003.2522640580.000001467EB44000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{fadc7a83-6534-864a-66c8-a75a642cb79f}6000C2942FCE4D06663969F532E45D1AVMware Virtual diskVMwareVirtual disk6000c2942fce4d06663969f532e45d1aPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
                                Source: AgentPackageAgentInformation.exe, 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2616454383.00000222686A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
                                Source: AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: !Hyper-V PowerShell Direct Service
                                Source: AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware SVGA II2
                                Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPort
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5055E14 IsDebuggerPresent,__crtUnhandledException,GetCurrentProcess,TerminateProcess,37_2_00007FFDF5055E14
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,37_2_00007FFDF509B9F0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5061910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,37_2_00007FFDF5061910
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF5057A84 GetProcessHeap,37_2_00007FFDF5057A84
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeProcess token adjusted: Debug
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,37_2_00007FFDF505ACD4
                                Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior

                                HIPS / PFW / Operating System Protection Evasion

                                barindex
                                System process connects to network (likely due to code injection or exploit)
                                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 40.119.152.241 443
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="irina-pyankova1574@cyberia.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OMeCIIA1" /AgentId="9242d891-5551-462a-a31d-e7fa704b4ae1"Jump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: unknown unknownJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OMeCIIA1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: unknown unknown
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeProcess created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: unknown unknown
                                Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="irina-pyankova1574@cyberia.pl" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000omeciia1" /agentid="9242d891-5551-462a-a31d-e7fa704b4ae1"
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000omeciia1
                                Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="irina-pyankova1574@cyberia.pl" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000omeciia1" /agentid="9242d891-5551-462a-a31d-e7fa704b4ae1"Jump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kiiwiumvxdwvzdfblcm1pc3npb25pchrpb24iom51bgwsiljlcxvpcmvqyxnzd29yze9wdglvbii6bnvsbcwiugfzc3dvcmqiom51bgx9" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageupgradeagent\agentpackageupgradeagent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/production 443 or8ixli90mf "checkforupdates" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageticketing\agentpackageticketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/production 443 or8ixli90mf "maintain" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/production 443 or8ixli90mf "monitor" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageosupdates\agentpackageosupdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/production 443 or8ixli90mf "getlistofallupdates" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageinternalpoller\agentpackageinternalpoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/production 443 or8ixli90mf "pollall" 001q300000omeciia1
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505739C cpuid 37_2_00007FFDF505739C
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                                Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6CCA.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6F8A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI6F8A.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI85C2.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA98C.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIA98C.tmp-\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB494.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF505CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,37_2_00007FFDF505CC04
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF50585D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,37_2_00007FFDF50585D4
                                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

                                Stealing of Sensitive Information

                                barindex
                                Queries disk data (e.g. SMART data)
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeDevice IO: \Device\Harddisk0\DR0

                                Remote Access Functionality

                                barindex
                                Yara detected AteraAgent
                                Source: Yara matchFile source: 47.0.AgentPackageUpgradeAgent.exe.21946f00000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 56.2.AgentPackageOsUpdates.exe.208f9b00000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 52.2.AgentPackageTicketing.exe.1a5df4b0000.2.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 35.0.AgentPackageSTRemote.exe.239e3240000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 12.0.AteraAgent.exe.2358a2d0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.2.AgentPackageMonitoring.exe.2223b6e0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 52.2.AgentPackageTicketing.exe.1a5df490000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 22.2.AgentPackageAgentInformation.exe.29d3c8a0000.1.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 52.0.AgentPackageTicketing.exe.1a5df040000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 37.0.AgentPackageMonitoring.exe.2223b320000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 26.2.AteraAgent.exe.26e23ca7188.0.raw.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 61.0.AgentPackageInternalPoller.exe.2396d6a0000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 20.0.AgentPackageAgentInformation.exe.1b2eb900000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 56.0.AgentPackageOsUpdates.exe.208f9690000.0.unpack, type: UNPACKEDPE
                                Source: Yara matchFile source: 0000002C.00000002.2507664137.0000026BDEA80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2994977412.000001A5DFBA5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072331976.0000029D3C9F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710784303.000001E28A020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2211125948.000002440CC50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2579705714.000002224F71B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.000002390001E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2699316243.00000208F991C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.0000020880194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2266312927.0000022255535000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2981767076.00000239E341B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1862091988.000002358A416000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710784303.000001E28A05A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2391198378.0000015800583000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C22B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2088822606.00000241B9FF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072331976.0000029D3CA0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1875046101.00007FFD9B474000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2507433085.0000026BDE983000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2578673445.000002224F690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E24059000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2353581735.0000015268BB1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2707813433.00000208F9B02000.00000002.00000001.01000000.00000036.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C0CA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2507433085.0000026BDE96B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2990093552.00000239E3650000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2252746004.000002223B503000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C24C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28B0B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586775F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2392021388.0000022745121000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C18C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2841757741.000001E2A4065000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2982908855.000001A5DF160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2652584802.0000026E23206000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710083269.000001E289FB0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2791766189.0000021947270000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2579705714.000002224F6E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900231000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2725439667.000001E28A2B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2623921845.00000222687AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2630520485.00000222688B9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2643606210.000002396E7EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2763756199.00000167660B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2424422551.000002275E8C2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586744A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.00000208805EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2252746004.000002223B4C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23E42000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28B0BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E2427B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.000001520026D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2776713478.00000219470A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000003.2695767843.0000016765830000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000000.2140448017.00000239E3242000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000002.2507433085.0000026BDE960000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2977651521.000000C5079A1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2486274448.000001E1F70B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000003.2627145054.00000167660AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2266264698.0000022255337000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2981767076.00000239E3378000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000000.2548562734.00000208F9692000.00000002.00000001.01000000.0000002B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AE19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072331976.0000029D3C981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2633279331.000002396D7D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2477771148.00007FFDF51F0000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2355103857.0000015268DC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2388496843.0000022744900000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2584934193.000002224FFB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072008202.0000029D3C470000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2253887131.000002223B6E2000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2776713478.000002194712D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2818435322.0000026E3C668000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710784303.000001E28A03B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2579705714.000002224F71F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2842753455.000001E2A408D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867217000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2072267454.000001B2EBB6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C099000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C142000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C011000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2388496843.0000022744908000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28B0E7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2212653983.000002440CEA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2981767076.00000239E3330000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2425981574.000002275EAE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28B0A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1862186018.000002358A43F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2813212061.0000026E3C5FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2263051148.0000022254606000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.00000208805F9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2842621858.000001E2A4089000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C176000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2486344295.000001E1F7157000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2841681973.000001E2A3E67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2089695421.00000241BA3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1874282974.00000235A4ADB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C250000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2652320722.0000026E23120000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2257304683.000002223C37B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2211125948.000002440CC5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2088822606.00000241B9FF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900240000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2991884534.00000239E3B2B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2392021388.00000227456CD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2642816590.000000DC9B3D5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2699316243.00000208F995F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586754A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2982908855.000001A5DF1A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1862186018.000002358A43A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2977659147.000000180C351000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2353581735.0000015268B70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1862154622.000002358A430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2991233857.000001A5DF3B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2483872903.000001E180083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C218000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2278293079.00007FFDF51E9000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2652584802.0000026E23180000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C293000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2486344295.000001E1F70D8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1862186018.000002358A4A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900234000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867104000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.00000208802C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2388008471.00000227447A0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2390969055.0000022744A80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2981767076.00000239E3370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C0C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2633279331.000002396D79C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900239000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2252746004.000002223B505000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2813212061.0000026E3C5EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2419891016.000002275D8B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2393075876.000001586692E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.0000020880001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2616454383.00000222686A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2776713478.00000219470E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710784303.000001E28A028000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28B0ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E24206000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2385156718.00000158000A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1873178796.00000235A47AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E2420C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710784303.000001E28A069000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2072267454.000001B2EBAE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2844259514.000001E2A4196000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2699316243.00000208F9910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E2402B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2486344295.000001E1F70D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2071038379.000001B280073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2393075876.0000015866977000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2790873443.0000021947235000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.000002390023B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23F4D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900243000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2992789220.000001A5DF4B2000.00000002.00000001.01000000.00000044.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2388496843.0000022744985000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2257304683.000002223BDD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900020000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2763408092.0000016765750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072237433.0000029D3C8A2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2991884534.00000239E3BB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1873751736.00000235A4910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AC81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2723586863.00000208FA7E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000003.2761811783.000001676574E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2633279331.000002396D81C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2072267454.000001B2EBB21000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AF64000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000003.2762028585.0000016765749000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2072921698.000001B2EBD90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2981767076.00000239E333C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000000.2502364341.000001A5DF042000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.000002088019E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2633279331.000002396D790000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2088822606.00000241BA074000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2360561479.0000015269FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816336025.0000026E3C637000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2392534933.0000015866820000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2797332651.0000026E3C245000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000003.2117297422.000002440CEC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.000002390022F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2584934193.000002224FFFF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2816336025.0000026E3C653000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2903937858.00007FFDF51F0000.00000004.00000001.01000000.0000001C.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2388496843.0000022744949000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28A9F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.000002390023E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C09C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E239F2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2699316243.00000208F99A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000003.2761544204.000001676573B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396475702.0000015866BD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2707965416.00000208F9B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.0000023900175000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.0000020880242000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000000.2569497839.000002396D6A2000.00000002.00000001.01000000.0000002E.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2982908855.000001A5DF16C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2633279331.000002396D7D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2643246448.000002396DB30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2353581735.0000015268BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E2422A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002E.00000002.2505676018.000002C239C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23D17000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2089852028.00000241BAA43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2252746004.000002223B54F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.000001586748A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001F.00000002.2211125948.000002440CC73000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002C.00000003.2422406398.0000026BDEAA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.0000015200095000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2981767076.00000239E33BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2793449512.0000021947A18000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000021.00000002.2209070573.000001BF3A2F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2254493143.000002223B7F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000023.00000002.2991884534.00000239E3AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2982908855.000001A5DF1A6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2619976879.0000022268709000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1862091988.000002358A410000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2252487588.000002223B410000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1861967852.000002358A390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2652584802.0000026E231BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2579705714.000002224F762000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2699316243.00000208F9953000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2358359058.0000015269EA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2089852028.00000241BAA53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000003.2698164334.00000167660AF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2483872903.000001E180001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2263051148.00000222545A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2982908855.000001A5DF1EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003A.00000002.2763352329.000001676574A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2355929789.0000015269C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000038.00000002.2662924761.000002088020E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AC77000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2657716214.0000026E234C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23CE8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072331976.0000029D3CA03000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2392021388.0000022745130000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2382223078.0000001E658F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2486344295.000001E1F70EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2266485318.0000022255546000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2252746004.000002223B4CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2071212803.0000029D3C2E6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23D26000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2710784303.000001E28A0A2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E241F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1873933138.00000235A4AA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2451895454.000001587F9C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2089852028.00000241BA9D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2994977412.000001A5DFDC5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.000002390022D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2072267454.000001B2EBB26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000C.00000002.1863468169.000002358C0C4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000031.00000002.2486344295.000001E1F710E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000016.00000002.2072331976.0000029D3C9C7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2357856647.0000015269E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2618275203.000002390022B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000003D.00000002.2643606210.000002396E780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2811041613.0000026E3C5C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2393075876.00000158668F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2357299685.0000015269D0F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000018.00000002.2088822606.00000241BA02B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000034.00000002.2994977412.000001A5DFBCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002F.00000002.2793449512.0000021947B2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000014.00000002.2071038379.000001B280001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 0000001D.00000002.2341203187.0000015200304000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 2516, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7188, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7296, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7556, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7740, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7988, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7268, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7184, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5596, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7500, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7840, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7612, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7696, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageSTRemote.exe PID: 6012, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 8000, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 7140, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7196, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cmd.exe PID: 7328, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: cscript.exe PID: 7336, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 7644, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 1056, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageTicketing.exe PID: 7128, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageMonitoring.exe PID: 5212, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageOsUpdates.exe PID: 8028, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: msiexec.exe PID: 7996, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 3720, type: MEMORYSTR
                                Source: Yara matchFile source: Process Memory Space: AgentPackageInternalPoller.exe PID: 3740, type: MEMORYSTR
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF9CB02A1CDB19CD90.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFDFE05222FB56D641.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA6F35F9524476E30.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFADE2042B27E71D27.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF8B64D014C4383737.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF856228A69E1C7F63.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF02FCC3B492CAA10B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIEB7A.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4DF5ED62E382D608.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF909A1D070B5DB00B.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF3A84280FF13AB42.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF1895BF484B59CF8F.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\476b78.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF5DD13AAEAD71C952.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI8AD4.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF4939F92601AB2289.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFA8AD7E5C0716F3AA.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFFC9FD086608A5E84.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF075573CDEB11ECC0.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\476b80.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Config.Msi\476b73.rbs, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DF6B15EEE745742680.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Temp\~DFF2C6D625F2EAC65D.TMP, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
                                Source: Yara matchFile source: dropped/ConDrv, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                                Source: Yara matchFile source: C:\Windows\Installer\MSID118.tmp, type: DROPPED
                                Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                                Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exeCode function: 37_2_00007FFDF509B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,37_2_00007FFDF509B9F0

                                Mitre Att&ck Matrix

                                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                                Gather Victim Identity Information1
                                Scripting                                		1
                                Replication Through Removable Media                                		641
                                Windows Management Instrumentation                                		1
                                Scripting                                		1
                                DLL Side-Loading                                		21
                                Disable or Modify Tools                                		OS Credential Dumping2
                                System Time Discovery                                		Remote Services11
                                Archive Collected Data                                		2
                                Encrypted Channel                                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                                CredentialsDomainsDefault Accounts1
                                Native API                                		1
                                DLL Side-Loading                                		22
                                Windows Service                                		11
                                Deobfuscate/Decode Files or Information                                		LSASS Memory11
                                Peripheral Device Discovery                                		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
                                Email AddressesDNS ServerDomain Accounts1
                                Command and Scripting Interpreter                                		22
                                Windows Service                                		111
                                Process Injection                                		31
                                Obfuscated Files or Information                                		Security Account Manager3
                                File and Directory Discovery                                		SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
                                Employee NamesVirtual Private ServerLocal Accounts11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		11
                                Scheduled Task/Job                                		1
                                Timestomp                                		NTDS275
                                System Information Discovery                                		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                                Gather Victim Network InformationServerCloud Accounts11
                                Service Execution                                		Network Logon ScriptNetwork Logon Script1
                                DLL Side-Loading                                		LSA Secrets1
                                Query Registry                                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                                File Deletion                                		Cached Domain Credentials781
                                Security Software Discovery                                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items123
                                Masquerading                                		DCSync11
                                Process Discovery                                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                                Modify Registry                                		Proc Filesystem371
                                Virtualization/Sandbox Evasion                                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt371
                                Virtualization/Sandbox Evasion                                		/etc/passwd and /etc/shadow1
                                Application Window Discovery                                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                                Process Injection                                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
                                Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
                                Rundll32                                		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption

                                Behavior Graph

                                Hide Legend

                                Legend:

                                • Process
                                • Signature
                                • Created File
                                • DNS/IP Info
                                • Is Dropped
                                • Is Windows Process
                                • Number of created Registry Values
                                • Number of created Files
                                • Visual Basic
                                • Delphi
                                • Java
                                • .Net C# or VB.NET
                                • C, C++ or other language
                                • Is malicious
                                • Internet
                                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1576619 Sample: setup.msi Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 151 Multi AV Scanner detection for dropped file 2->151 153 Multi AV Scanner detection for submitted file 2->153 155 Yara detected AteraAgent 2->155 157 8 other signatures 2->157 8 AteraAgent.exe 2->8         started        13 msiexec.exe 173 118 2->13         started        15 AteraAgent.exe 2->15         started        17 4 other processes 2->17 process3 dnsIp4 145 108.158.75.4 AMAZON-02US United States 8->145 93 C:\...\System.Management.dll, PE32 8->93 dropped 95 C:\...95ewtonsoft.Json.dll, PE32 8->95 dropped 97 C:\...\Microsoft.Win32.TaskScheduler.dll, PE32 8->97 dropped 105 192 other malicious files 8->105 dropped 167 Installs Task Scheduler Managed Wrapper 8->167 19 AgentPackageUpgradeAgent.exe 8->19         started        23 AgentPackageMonitoring.exe 8->23         started        26 AgentPackageOsUpdates.exe 8->26         started        34 5 other processes 8->34 99 C:\Windows\Installer\MSIF448.tmp, PE32 13->99 dropped 101 C:\Windows\Installer\MSIC85D.tmp, PE32 13->101 dropped 103 C:\Windows\Installer\MSIBB4C.tmp, PE32 13->103 dropped 107 59 other files (50 malicious) 13->107 dropped 28 msiexec.exe 13->28         started        30 AteraAgent.exe 13->30         started        36 2 other processes 13->36 147 108.158.75.93 AMAZON-02US United States 15->147 149 13.232.67.198 AMAZON-02US United States 15->149 109 30 other malicious files 15->109 dropped 169 Creates files in the system32 config directory 15->169 171 Reads the Security eventlog 15->171 173 Reads the System eventlog 15->173 38 7 other processes 15->38 32 conhost.exe 17->32         started        file5 signatures6 process7 dnsIp8 131 20.60.197.1 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 19->131 75 C:\...\System.ValueTuple.dll, PE32 19->75 dropped 77 C:\Program Files (x86)\...\Pubnub.dll, PE32 19->77 dropped 79 C:\...79ewtonsoft.Json.dll, PE32 19->79 dropped 91 4 other malicious files 19->91 dropped 51 2 other processes 19->51 81 C:\Program Files (x86)\...\log.txt, ASCII 23->81 dropped 159 Queries disk data (e.g. SMART data) 23->159 40 conhost.exe 23->40         started        133 20.50.88.227 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 26->133 42 conhost.exe 26->42         started        44 rundll32.exe 28->44         started        48 rundll32.exe 15 9 28->48         started        53 2 other processes 28->53 135 199.232.214.172 FASTLYUS United States 30->135 137 192.229.221.95 EDGECASTUS United States 30->137 83 C:\Windows\System32\InstallUtil.InstallLog, Unicode 30->83 dropped 85 C:\...\AteraAgent.InstallLog, Unicode 30->85 dropped 161 Creates files in the system32 config directory 30->161 163 Reads the Security eventlog 30->163 165 Reads the System eventlog 30->165 139 152.199.23.209 EDGECASTUS United States 34->139 87 C:\...\TicketingTray.exe (copy), PE32 34->87 dropped 55 6 other processes 34->55 57 3 other processes 36->57 141 52.223.39.232 AMAZONEXPANSIONGB United States 38->141 143 3.160.77.18 AMAZON-02US United States 38->143 89 C:\Windows\Temp\SplashtopStreamer.exe, PE32 38->89 dropped 59 8 other processes 38->59 file9 signatures10 process11 dnsIp12 111 C:\...\AlphaControlAgentInstallation.dll, PE32 44->111 dropped 121 3 other files (none is malicious) 44->121 dropped 175 System process connects to network (likely due to code injection or exploit) 44->175 129 40.119.152.241 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 48->129 113 C:\...\AlphaControlAgentInstallation.dll, PE32 48->113 dropped 123 3 other files (none is malicious) 48->123 dropped 115 C:\...\AlphaControlAgentInstallation.dll, PE32 53->115 dropped 117 C:\...\AlphaControlAgentInstallation.dll, PE32 53->117 dropped 125 6 other files (none is malicious) 53->125 dropped 61 conhost.exe 55->61         started        63 cscript.exe 55->63         started        119 C:\...\AlphaControlAgentInstallation.dll, PE32 57->119 dropped 127 3 other files (none is malicious) 57->127 dropped 65 conhost.exe 57->65         started        67 net1.exe 57->67         started        69 conhost.exe 57->69         started        71 conhost.exe 59->71         started        73 cscript.exe 59->73         started        file13 signatures14 process15

                                Screenshots

                                Thumbnails

                                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                                windows-stand

                                Antivirus, Machine Learning and Genetic Malware Detection

                                Initial Sample

                                SourceDetectionScannerLabelLink
                                setup.msi21%VirustotalBrowse
                                setup.msi26%ReversingLabsWin32.Trojan.Atera

                                Dropped Files

                                SourceDetectionScannerLabelLink
                                476b79.rbf (copy)26%ReversingLabsWin32.PUA.Atera
                                476b7b.rbf (copy)0%ReversingLabs
                                476b7c.rbf (copy)0%ReversingLabs
                                476b7d.rbf (copy)0%ReversingLabs
                                476b7e.rbf (copy)0%ReversingLabs
                                476b7f.rbf (copy)0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.PUA.Atera
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll0%ReversingLabs
                                C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll0%ReversingLabs

                                Unpacked PE Files

                                No Antivirus matches

                                Domains

                                No Antivirus matches

                                URLs

                                No Antivirus matches

                                Domains and IPs

                                Contacted Domains

                                No contacted domains info

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://monitor.azure.com//.defaultAgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpfalse
                                  https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                    http://schemas.datacontract.orgAteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                        http://sertifikati.ca.posta.rs/crl/PostaCARoot.crl0AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                          https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.24.1.46.nupkgXAgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFBCC000.00000004.00000800.00020000.00000000.sdmpfalse
                                            https://nlog-project.org/AgentPackageMonitoring.exe, 00000025.00000002.2266195665.0000022254938000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpfalse
                                              https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmpfalse
                                                http://dl.google.com/googletalk/googletalk-setup.exeAteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmpfalse
                                                  http://repository.swisssign.com/0AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/24.3/AGENTPACKAGESTREMOTE.ZIPAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      https://agent-api.atera.com/Production/Agent/thresholds/9242d891-5551-462a-a31d-e7fa704b4ae1AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.zAteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            https://my.splashtop.com/csrs/winAgentPackageSTRemote.exe, 00000023.00000000.2140448017.00000239E3242000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              http://wixtoolset.orgrundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.ZAteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  https://agent-api.atera.com/Production/Agent/track-event;rundll32.exe, 00000004.00000002.1783660722.0000000004916000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004666000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      http://acontrol.atera.com/AteraAgent.exe, 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        https://agent-api.atera.com/Production/Agent/dynamic-fields/AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          https://westeurope-5.in.applicationinsights.azure.coAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            https://westeurope-5.in.applicationinsights.azure.com/AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.5/AgentPackageProgramManageAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.11/AgentPackageSystemTools.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.000002088019E000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 0000003D.00000002.2618275203.0000023900020000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b4829a1e-7abe-483e-95c6-bc05ffcf1c59AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          https://westeurope-5.in.applicationinsights.azure.com/v2/trackAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674D3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLEAteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.2/AgentPackageTicketing.zip?jnWPUcOAteraAgent.exe, 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  https://www.anf.es/address/)1(0&AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    http://my.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C54000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?jnWPAteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        http://ocsp.digice~AteraAgent.exe, 0000001A.00000002.2818435322.0000026E3C68B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          https://api.nuget.org/v3-flatcontainer/eo.webbrowser/24.1.46/eo.webbrowser.24.1.46.nupkgAgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFBCC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmpfalse
                                                                                                            https://dc.services.visualstudio.com/XAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnostiAgentPackageOsUpdates.exe, 00000038.00000000.2548562734.00000208F9692000.00000002.00000001.01000000.0000002B.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a5fd113e-6197-4e15-a459-6d094af70b09AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                  https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.4.exeAgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C79000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C54000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C75000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    https://www.anf.es/AC/ANFServerCA.crl0AteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      https://dc.services.visualstudio.com/pAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        https://download.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3C79000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                            https://agent-api.atera.comAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200095000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              https://www.nuget.org/packages/NLog.Web.AspNetCoreAgentPackageMonitoring.exe, 00000025.00000002.2266195665.0000022254938000.00000002.00000001.01000000.00000024.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                https://westeurope.livediagnostics.monitor.azure.com/pcqAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  https://dc.services.visualstudio.com/fAgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpfalse
                                                                                                                                    https://profiler.monitor.azure.com/AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      http://www.w3.ohAteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 0000000D.00000002.2396800785.0000015867104000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          https://profiler.monitor.azure.com/pcqAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.9/Agent.Package.Watchdog.zip?jnWPUcAteraAgent.exe, 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/38.3/AGENTPACKAGEAGENTINFORMATIAteraAgent.exe, 0000000D.00000002.2396800785.0000015867217000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                http://api.nuget.orgAgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFDC5000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  http://nlog-project.org/ws/AgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                                    http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesTAgentPackageMonitoring.exe, 00000025.00000002.2265501561.0000022254862000.00000002.00000001.01000000.00000024.sdmpfalse
                                                                                                                                                      https://ps.atera.com/aAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                        https://urn.to/r/sds_seeAgentPackageMonitoring.exe, 00000025.00000002.2264389907.00000222546A2000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                          https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/24.3/AgentPackageSTRemote.ziphAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              http://www.digicert.cAteraAgent.exe, 0000000D.00000002.2387706196.0000015800139000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2387706196.0000015800143000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/chAteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  https://snapshot.monitor.azure.com/AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    http://www.datev.de/zertifikat-policy-int0AteraAgent.exe, 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                      https://my.splashtop.comAgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/recurringCoAgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                          http://crl.microsoftFuAgentPackageAgentInformation.exe, 00000016.00000002.2074039733.0000029D55371000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                            http://cacerts.digicert.AgentPackageAgentInformation.exe, 00000014.00000002.2073417612.000001B2ECB79000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameWAREAgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                https://system.data.sqlite.org/XAgentPackageMonitoring.exe, 00000025.00000002.2264723090.0000022254704000.00000002.00000001.01000000.00000022.sdmpfalse
                                                                                                                                                                                  https://ps.atera.com/agentpackageswin/AgentPackageHeartbeat/16.9AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    http://www.abit.com.tw/AgentPackageMonitoring.exe, 00000025.00000002.2254599365.000002223BC62000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                      https://dc.services.visualstudio.com/v2/trackAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/recurringCommandResultAgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          https://api.nuget.orgAgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFDB0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                            https://web.certicamara.com/marco-legal0ZAteraAgent.exe, 0000000D.00000002.2390790974.0000015800555000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                              https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.3/AgentPackageAgentInformatiAteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23A58000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exeAteraAgent.exe, 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000023.00000000.2140448017.00000239E3242000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageSTRemote.exe, 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zipAteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/9242d891AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelpAgentPackageTicketing.exe, 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          https://agent-api.PAgentPackageAgentInformation.exe, 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            https://ps.atera.com/agentpackagesnetAteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              http://www.w3.oAteraAgent.exe, 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Fhttps://profiler.monitorAgentPackageOsUpdates.exe, 00000038.00000002.2734200138.00000208FAA92000.00000002.00000001.01000000.0000003C.sdmpfalse
                                                                                                                                                                                                                  https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAAteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    https://agent-api.atera.com/Production/Alerts/AddAlertsFromAgentAgentPackageMonitoring.exe, 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      https://github.com/JamesNK/Newtonsoft.Jsonrundll32.exe, 00000003.00000003.1723738250.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1735481851.00000000044A4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1792181058.0000000004B1B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.1878247865.000000000441D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2073017752.000001B2EC212000.00000002.00000001.01000000.00000019.sdmp, AgentPackageMonitoring.exe, 00000025.00000002.2264874210.0000022254782000.00000002.00000001.01000000.00000023.sdmp, AgentPackageUpgradeAgent.exe, 00000031.00000002.2489978851.000001E1F8030000.00000002.00000001.01000000.00000029.sdmp, rundll32.exe, 0000003C.00000003.2566734435.0000000004211000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        https://ps.pndsn.com/v2/subscribAteraAgent.exe, 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                          http://www.anf.es/AC/RC/ocsp0cAteraAgent.exe, 0000000D.00000002.2387706196.00000158001F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zipAteraAgent.exe, 0000000D.00000002.2396800785.00000158670FC000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.AvailaAteraAgent.exe, 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                http://www.ancert.com/cps0AteraAgent.exe, 0000000D.00000002.2391198378.0000015800580000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  https://profiler.monitor.azure.com/pAgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, AgentPackageOsUpdates.exe, 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    https://ps.pndsnAteraAgent.exe, 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.3/AgentPackageAgentInformationAteraAgent.exe, 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmpfalse

                                                                                                                                                                                                                                        World Map of Contacted IPs

                                                                                                                                                                                                                                        • No. of IPs < 25%
                                                                                                                                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                        • 75% < No. of IPs

                                                                                                                                                                                                                                        Public IPs

                                                                                                                                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                        40.119.152.241
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue
                                                                                                                                                                                                                                        3.160.77.18
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        108.158.75.93
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        108.158.75.4
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        199.232.214.172
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		54113FASTLYUSfalse
                                                                                                                                                                                                                                        192.229.221.95
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        152.199.23.209
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		15133EDGECASTUSfalse
                                                                                                                                                                                                                                        13.232.67.198
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		16509AMAZON-02USfalse
                                                                                                                                                                                                                                        20.60.197.1
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse
                                                                                                                                                                                                                                        52.223.39.232
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8987AMAZONEXPANSIONGBfalse
                                                                                                                                                                                                                                        20.50.88.227
                                                                                                                                                                                                                                        		unknownUnited States
                                                                                                                                                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                                                                                                                                                        General Information

                                                                                                                                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                        Analysis ID:1576619
                                                                                                                                                                                                                                        Start date and time:2024-12-17 10:29:41 +01:00
                                                                                                                                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                        Overall analysis duration:0h 14m 7s
                                                                                                                                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                        Report type:full
                                                                                                                                                                                                                                        Cookbook file name:default.jbs
                                                                                                                                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                        Number of analysed new started processes analysed:63
                                                                                                                                                                                                                                        Number of new started drivers analysed:0
                                                                                                                                                                                                                                        Number of existing processes analysed:0
                                                                                                                                                                                                                                        Number of existing drivers analysed:0
                                                                                                                                                                                                                                        Number of injected processes analysed:0
                                                                                                                                                                                                                                        Technologies:
                                                                                                                                                                                                                                        • HCA enabled
                                                                                                                                                                                                                                        • EGA enabled
                                                                                                                                                                                                                                        • AMSI enabled
                                                                                                                                                                                                                                        Analysis Mode:default
                                                                                                                                                                                                                                        Analysis stop reason:Timeout
                                                                                                                                                                                                                                        Sample name:setup.msi
                                                                                                                                                                                                                                        Detection:MAL
                                                                                                                                                                                                                                        Classification:mal100.troj.spyw.evad.winMSI@103/435@0/11
                                                                                                                                                                                                                                        EGA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 15.4%
                                                                                                                                                                                                                                        HCA Information:
                                                                                                                                                                                                                                        • Successful, ratio: 61%
                                                                                                                                                                                                                                        • Number of executed functions: 420
                                                                                                                                                                                                                                        • Number of non-executed functions: 1
                                                                                                                                                                                                                                        Cookbook Comments:
                                                                                                                                                                                                                                        • Found application associated with file extension: .msi

                                                                                                                                                                                                                                        Warnings

                                                                                                                                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 5596 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7184 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7268 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AgentPackageSTRemote.exe, PID 6012 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7500 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7556 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target AteraAgent.exe, PID 7740 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 2516 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7188 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7296 because it is empty
                                                                                                                                                                                                                                        • Execution Graph export aborted for target rundll32.exe, PID 7988 because it is empty
                                                                                                                                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                        • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                        • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                        • Skipping network analysis since amount of network traffic is too extensive

                                                                                                                                                                                                                                        Simulations

                                                                                                                                                                                                                                        Behavior and APIs

                                                                                                                                                                                                                                        TimeTypeDescription
                                                                                                                                                                                                                                        04:30:44API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                        04:30:50API Interceptor1702x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                        04:31:13API Interceptor68x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                        04:31:25API Interceptor72123x Sleep call for process: AgentPackageSTRemote.exe modified
                                                                                                                                                                                                                                        04:31:28API Interceptor115x Sleep call for process: AgentPackageMonitoring.exe modified
                                                                                                                                                                                                                                        04:32:02API Interceptor39x Sleep call for process: AgentPackageOsUpdates.exe modified
                                                                                                                                                                                                                                        04:32:03API Interceptor3210x Sleep call for process: AgentPackageTicketing.exe modified
                                                                                                                                                                                                                                        04:32:07API Interceptor1x Sleep call for process: AgentPackageInternalPoller.exe modified
                                                                                                                                                                                                                                        04:32:22API Interceptor7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
                                                                                                                                                                                                                                        09:31:54Task SchedulerRun new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun

                                                                                                                                                                                                                                        Joe Sandbox View / Context

                                                                                                                                                                                                                                        IPs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Domains

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        ASNs

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        JA3 Fingerprints

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Dropped Files

                                                                                                                                                                                                                                        No context

                                                                                                                                                                                                                                        Created / dropped Files

                                                                                                                                                                                                                                        476b79.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        476b7a.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        476b7b.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        476b7c.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        476b7d.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        476b7e.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        476b7f.rbf (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Config.Msi\476b73.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8803
                                                                                                                                                                                                                                        Entropy (8bit):5.656862022220368
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:5Agj4xz1ccbTOOeMeunbAK61h7r6IHfh7r6kAVv70HVotBVeZEmzmYpLAV77QXpZ:zED2yn0DppptiB2i8
                                                                                                                                                                                                                                        MD5:00F8145F3F516B62FF323F0548E6BAA8
                                                                                                                                                                                                                                        SHA1:AA7EEF65B4D0C2027BDAEE0DAFBE1348F2170BD2
                                                                                                                                                                                                                                        SHA-256:FD954FD86EEC65890DEC5350161175B6DE9BD44E6EDEDD8CB157D928A3669776
                                                                                                                                                                                                                                        SHA-512:0589507FB7015C91264FE186723F3ECC053662BD608A9B0A2CA47FF6F6302902C890A6314A121BC5DB6093DD235AFDEA5E14A112913E5FE2E53E9F8C77A5983E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\476b73.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.#.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E311-4A2

                                                                                                                                                                                                                                        C:\Config.Msi\476b78.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):9469
                                                                                                                                                                                                                                        Entropy (8bit):5.562969055499122
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:1gj4GBjcRhXbLCsgRgbLCMDp17qEVl0QrLALtyD0qagukGGhaKfmbHt1fiqk4rEa:WEUoRhPgRGdBKKbq9T
                                                                                                                                                                                                                                        MD5:2B4D53015640A3CDF196CB4919F25FBC
                                                                                                                                                                                                                                        SHA1:11BBEAF5C50DBF13B31ED81690C62F11AA1DF2C5
                                                                                                                                                                                                                                        SHA-256:4C2D13123A70CC3975A4C60BFA7FB38FF0C3CBFF0435E8DA9A446FBB2EA3025C
                                                                                                                                                                                                                                        SHA-512:77CFCD4375B99C30A50FA39059555A032853499CC355D8155DD9CBAAF3F388387F72E22E007ECE793CEB3B35EA45A5C4EA24EBF33EC94E627A29A519CF620522
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\476b78.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.$.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....InstallInitialize$..@....z.Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\Transforms...@....(.$..@....@.Software\Microsoft\Windows\CurrentVersion\Installer\TempPackages...@....(.&...C:\Windows\Installer\476b74.msi..#0$..@......Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\7D0A237E2F2A7564CA141B792446E854\InstallPropertiesx.....\...l.............H.........?...................9...................?........... ... ........... ... ................@....%...AuthorizedCDFPrefix%...Comments%...Contact%...DisplayVersion..1.8.7.2%...HelpLink%...HelpTelep

                                                                                                                                                                                                                                        C:\Config.Msi\476b80.rbs

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8767
                                                                                                                                                                                                                                        Entropy (8bit):5.654323689189842
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:KTy7wo+fncHMet186IT86k7s5VNpkxYpLso:kPo+fncH/8V8tSNpkcP
                                                                                                                                                                                                                                        MD5:D6143A20C832D05F90E5EC9765BB8D25
                                                                                                                                                                                                                                        SHA1:126D212EC25A9AB61FE0621CB8E4052FA1854BA9
                                                                                                                                                                                                                                        SHA-256:C003808C532D8B74E098BD92E25ADC6C8A88D9C38E45C3D9C3D2E3248C3BD7C6
                                                                                                                                                                                                                                        SHA-512:4B91C41FFA0C96C9B1CF55D8046076ACE191C06BDD450D231B52C02B46444F20B22D65556C28B857C63A4BA52222686EBCE9A08E6597ABD944C0AB843955EF63
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\476b80.rbs, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\476b80.rbs, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.$.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}.@......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):867680
                                                                                                                                                                                                                                        Entropy (8bit):7.9997736442376235
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Y0MtJOalt7fQwfM+tshGvx5LBhqAc9sDQPfg:65Lm++hGZ5LnZMO8fg
                                                                                                                                                                                                                                        MD5:C69E12A2FDB222AC19491223E62AE9C6
                                                                                                                                                                                                                                        SHA1:51ACDF44ED02243895259C702F34BD0B3BFB01C5
                                                                                                                                                                                                                                        SHA-256:D99B0723324687A670E2E62CE1EE2EEBC768C1E4BE2420B235FFDD6BD8E199EB
                                                                                                                                                                                                                                        SHA-512:A69F0BF71DFE22BD25A43A4095322CBEAC9F1717A7BBC450C93A086F6BE0D46B6D3AD4F7F1C1D0361055E2B905AA9A926ED617BB2AB18D8FE827E8F1156F2C0F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....}BrX.j5.........-...AgentPackageADRemote/AgentPackageADRemote.exe....0........d......0.....r...,.. UMA...|f-].=.U.j..p.....r..f.<..Z..g}m..LC.T.....Y.{s\.k... Y.....4..}..h.<L......L.........z.i9.K..~.ue."#"r.r..p..0.\./R...C.w..8..-.3.t...(.c..P..N....q.v&........u.a.e...]...9....r.@.=\v..B.~{|c.j.S...JL!g..Y@Ts9D$...)P.......{..8...Y...K...Z._".@.....a.8.P..7...ZY.-D8f\..ej.....@.w.$R>Q.B.....V..@..9....zdB..x..GK.....LDp...Xc......x......*.u..R..,...#...Q,.V....}..W....oT.._6n.g..bK.p.s...pABSv0.7..'.JK ....b.Y.-.B...!'Tjsn...."V......B.@.<CQ.K....>D.5E..w.'. ._%E..-......7.M..u1nr.7....T[.%6..t...Z..Q.;./....k.V....J-.\`..d...K.c. ..D.G.j.../..z..k.KH.....!..M...8....fr.......m....2..4-... ..CF...skN*.kv.E[3."gi3.Uv..*.S...n..~...)..!V..>...D..2..b..}..xW.ZPd..X\.g...1.RY.u.]p..Z b%r.....Hc.N.+[E...Q....3.K.H.....)NQ@L......./2.v..q...*.-:%... "...`...i..+!.D..q.];.ARRrQZ.B. i...M...Qy$.....p...A.U...=...LHF%...]..l.S.pl1....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):384894
                                                                                                                                                                                                                                        Entropy (8bit):7.999386459973609
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:v5tKfF+xcaAeibHkWm83Bb5HKVP92+imBs7H8dPkoFuvjQ2AhWy90sW1WTHHVwM9:htUF+xcsibbLLPUWOPkeuU2AsyjW15PE
                                                                                                                                                                                                                                        MD5:ABA4C6047CFEC27B6DB13E0F103F4BDB
                                                                                                                                                                                                                                        SHA1:916CB99BF2828286034BA6EF63891AABA24770EF
                                                                                                                                                                                                                                        SHA-256:B88271E1A2DF3FB14FA862922ECE74E403C6135DDE18BD58EE1F2003992F1D38
                                                                                                                                                                                                                                        SHA-512:6AD7D25781EDD630E2DD187A2523ACD3623ADA5AF5BBB822AEDE3643BA4A04E191B7E2B31DE78E362B9AC44A38A917B19C19FEBEA4EBC1E963F9F85BEA61DCA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....u..Y..p.........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(.......8..........J..0....:........ggZ.......(;4jy.../...l...B...J....,..7;.2a..z.^.....d.....R.....B....U6-.j.D.}..7(..O...{<...^...R...$X.......g.u..C".............U...;...K...{C....k......MA0..$.X.JK@>Q.omT;.......6...%H..L...|.u"w...y.$.|].m.X/0.Ev.c$....X.;@...$^L*...g$...-.t...z>a..8g|O.K..b.?f?.......b........lsJ.*0..{zV1..U.*...=..C$..8a.....@(..s.r...k.....6.*...op.%....Z.!.7M3.C.>.aH.BS..?lB...SW...h.......hB...cT^uI1o..'x..eq)5@.[....$.]......1.LPx.....Q..{z..Ynm......OKr.S.S$z..4..a.D..R........2$...5B...;S..Ys...a....h.. .M..e.M...>...P,..Q.H.P.Yj.).I.y..ZC|S...'..U.]..r.".vA....n.>#...1.v..,Q.i.... ..u.p$.b.?...8<..v..o.*.Sf<r.Cx.C.'.#3.RL..kw.,..(Wz...L'..@..]K..z...E.....a....a...kG.P..#.D.....DKp.{;.\.*..R....Hp]...m<5.6.sjq...!.55.....|8...j...F...Lp.I...../.*.....Q..VR.0x..`.j*...j......%qc..2......WG...7_.d.V....7)@g..~.8M..=......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178728
                                                                                                                                                                                                                                        Entropy (8bit):5.825238453021458
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:hEEm/xCr5UQFKa2kf9ZSf4aP8gCko0Dcm:hE7/xCwa2C9ZAt
                                                                                                                                                                                                                                        MD5:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        SHA1:C686501C1CDE18346B237C83450333E95570B844
                                                                                                                                                                                                                                        SHA-256:073E4CB181DF1D54B75277A52356A8D42573D61E878710BACDA8F2B0931D08A1
                                                                                                                                                                                                                                        SHA-512:C933C7C1FA3DEFE69CB1A86193A04533068C3695DCC14B235DA9E9342C5A81245060C72669069F2A06410DE7AEA1CABDFBC41B410353C597A731250E00CCBE93
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M.Tg.........."...0.............".... ........@.. ..............................i.....`....................................O.......................((........................................................... ............... ..H............text...p.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H....... ...x.......,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):546
                                                                                                                                                                                                                                        Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                        SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                        SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                        SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.418295834054489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWYn:WB
                                                                                                                                                                                                                                        MD5:F647BC6B4E05B062BDE5A2F379B438BE
                                                                                                                                                                                                                                        SHA1:17FFC1B640A9AD0A8DC087CCA6C99478197EBAA0
                                                                                                                                                                                                                                        SHA-256:5F46695D90CFFB577A2961A23BE6DFAC09B39BFB2B9CBA13E5327407EE3557B6
                                                                                                                                                                                                                                        SHA-512:7EDB51CEFC77A67EF55093AA31D5C8AC899A6681D53AE6300132D851644CB15A0762511C61378C4C8C8C02A1B83A704E834C627B0998673085357A04599280AF
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=38.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.1801112962149105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:sJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762OO:sQUm2H5KTfOLgxFJjE50vksVUfPvO1YO
                                                                                                                                                                                                                                        MD5:14FCB3F21FFC0FF3FA9F3C1CDEEFAE9D
                                                                                                                                                                                                                                        SHA1:6FD620BFC789F753E52E458A01E9522F3651E30B
                                                                                                                                                                                                                                        SHA-256:4C9AC64A4044D378D198A4371C7B346F891BF649EF21104440B8B4106AD0494C
                                                                                                                                                                                                                                        SHA-512:F3AE77B31184EDBA0AD2C97035AA96D2A28C77EBEF1CA7B4F26751DA606D2A0C9E0C636D51B44E1984BF6FEF3BECE596EA3CEDF3F901276CC61718AD3B20CFC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................{.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704552
                                                                                                                                                                                                                                        Entropy (8bit):5.953924597885397
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:r9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3g:r8m657w6ZBLmkitKqBCjC0PDgM5w
                                                                                                                                                                                                                                        MD5:E337926D73F2A989AAAEE4C76709B750
                                                                                                                                                                                                                                        SHA1:11236A81C756E4137BC9400B62A93C4A2FA16BC1
                                                                                                                                                                                                                                        SHA-256:95E8D460402889DB8D3A87E4AAD117DCF829AB4FDCFB5B53589325E7DEDA7EB4
                                                                                                                                                                                                                                        SHA-512:ACDF3121F79BDC7ECE72D9539BFD3CD0436F406529EDC1D92ACB16A1EA212FFEEADD1839A38F013FE898F2B23B9CCC92C4A7DDBFFCD7B6F808388307072AAF7F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...................................`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):4.663575178423969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:hsShKY4MsShLP6SX9NfzyShaKf0OMBGShaKf0Od:P4qBX9Nf1MLd
                                                                                                                                                                                                                                        MD5:79CC835078CC5ED5AAD069AA0639EB9F
                                                                                                                                                                                                                                        SHA1:B6ABC230485E830F8E9E284E63935156442AF455
                                                                                                                                                                                                                                        SHA-256:9A104ABC5EE9AED5737D5AF5A7BDBE0BEC655B1446041873017B5C560355A6D1
                                                                                                                                                                                                                                        SHA-512:8698A158A27581D81106831475DAF28A349BF09A46080520B78F8CCEEE1DD4B0F73C309FDE07A23FD211E2DA0781CE3B63D5A5B0D368903F3D51B20D1F76D2B9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................TAgentPackageAgentInformation, Version=38.3.0.0, Culture=neutral, PublicKeyToken=null.....6AgentPackageAgentInformation.Cache.CachedDynamicFields.....<DynamicFields>k__BackingField.<Timestamp>k__BackingField..JAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto[]................x.}..H...............HAgentPackageAgentInformation.Api.Information.CustomField.DynamicFieldDto................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):4.128724445269142
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:1ThV2kWUk4/h3t:mbW
                                                                                                                                                                                                                                        MD5:DDBE54DD8F69829D623F7DE9E08757C0
                                                                                                                                                                                                                                        SHA1:CC6126259C0E5E4C3E30B079A0021C451CFF094B
                                                                                                                                                                                                                                        SHA-256:9D7EAFB086686F40456B3DAD568319E3FBCD44EAAAF99B522E00734640999B48
                                                                                                                                                                                                                                        SHA-512:35A99EBE5BC241E357712CFDDD63D5F930DBBE9147C7FBECEFFFB091B4B2E278EF42E1F9B8D833C0BCCDDC3083A3170CCA4A71960B787C47FC87AF38FC28208A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.167ED0454ED313FC59FC72A3BD8699AA

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):35
                                                                                                                                                                                                                                        Entropy (8bit):3.677028119136097
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:fc3Gh7UgzVchXn:f7NUgWn
                                                                                                                                                                                                                                        MD5:E49A5284D2F384905389D53944708C48
                                                                                                                                                                                                                                        SHA1:E455420E95EA0246B8B63A251B0E451ACD711B28
                                                                                                                                                                                                                                        SHA-256:33FD3B161AEC8867652C6B0707180ADC42C267EE9F66E33BF0CE70B55B4660B9
                                                                                                                                                                                                                                        SHA-512:E9EC60296F38F68EB6C6233094E50EF534CE44A91E6511097158D631673017F8FE316E1C11A494C29BD8BE6F94AAFBF9F4A9546E709694BD3CC98B12CD243FF4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.2E69DDAE9D0D04A8ED39EECA359A9772

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):328916
                                                                                                                                                                                                                                        Entropy (8bit):7.999290842463468
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:EQjapzpRU64iYUQf9N4E/xWTUugwXWBoJW55fJKsff+Idm3lqd0LNIN/Hggh:EUaBXU5BjfcE5WTkwGRfQY+Om3lqdv5
                                                                                                                                                                                                                                        MD5:D3901E62166E9C42864FE3062CB4D8D5
                                                                                                                                                                                                                                        SHA1:C9C19EEC0FA04514F2F8B20F075D8F31B78BAE70
                                                                                                                                                                                                                                        SHA-256:DBC0E52E6DE93A0567A61C7B1E86DAA51FBEF725A4A31EEF4C9BBFF86F43671C
                                                                                                                                                                                                                                        SHA-512:AE33E57759E573773B9BB79944B09251F0DC4E07CDB8F373EC06963ABFC1E6A6326DF7F3B5FECF90BD2B060E3CB5A48B913B745CC853AC32D2558A8651C76111
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....'gqX............/...AgentPackageHeartbeat/AgentPackageHeartbeat.exe....0l.......?........F0..6\.q.......<.......I.3. &.;.........O.;d.&.U....".' ..}P..u+0.`g.Z..Zq,...w.1./..UD....F.a...B=.....!.. .=... .#7A.Q..o.........+q.C5 . 1..Ud...R>n..Y.9}>z.....yE7.}!sn....p1(e.....}T#>2/..y*7.@.<..J..q......3.4....M..."/"..cS....9pT.dn.:c...&..,H.e.....r...X#...m...V..ZP......+.h.R. .8.......!7FNa.`.P;.......P~..U.x.K.D8.&.vQ!..xn..~cNG.2._L.},..........:.J...S.y..-J...K.z.H.....z.G.6....d.b.[..9......Q.r.T........#..+..b6<...p.}......!.5.&l.E..4.F8..Y...."/.b.....................(.......b..&.6...t..%.(A..X{....H4....[.....}.......n0.:.......s..wQ.&.J\|j.....7=b+.L.t.l.0.{G.Jb.Jy.U.kG.....p-...^..g.4..RA.R..........~..5t4_...Z...h..J..........t...C3....{K.h...F..W$...U....-55....Hi.......m...............x..........)...F.p....r,}}L...i:q.Y.O....`L......yY...N..J]....T..~_|.Bh..p.w%0.H.%D...p..RM`..e....TJk..(..\.%......4..N.<..^..k/_..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27696
                                                                                                                                                                                                                                        Entropy (8bit):6.448893455648887
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TndoS4jOhWCHDIJNQnt96+aTkdMEdcG7UhZPWU1Nyb8E9VF6IYinAM+oC8Z1KTm:Td0SkSeIUhrREpYinAMxCm
                                                                                                                                                                                                                                        MD5:797C9554EC56FD72EBB3F6F6BEF67FB5
                                                                                                                                                                                                                                        SHA1:40AF8F7E72222BA9EC2EA2DD1E42FF51DC2EB1BB
                                                                                                                                                                                                                                        SHA-256:7138B6BEDA7A3F640871E232D93B4307065AB3CD9CFAC1BD7964A6BEC9E60F49
                                                                                                                                                                                                                                        SHA-512:4F461A8A25DA59F47CED0C0DBF59318DDB30C21758037E22BBAA3B03D08FF769BFD1BFC7F43F0E020DF8AE4668355AB4B9E42950DCA25435C2DD3E9A341C4A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....O............"...0..8...........V... ...`....@.. ....................................`..................................V..O....`..P............D..0(...........U..8............................................ ............... ..H............text....6... ...8.................. ..`.rsrc...P....`.......:..............@..@.reloc...............B..............@..B.................V......H.......t-..x(......2.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. .... )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*.rW..p*.r...p*F.(....r...p( ...*.r...p*.r...p*..(....*.rM..p*.r...p

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):542
                                                                                                                                                                                                                                        Entropy (8bit):5.041389931890446
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGGsVZrdSJ9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdArdEtPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:547C772B1DEA0A1E8030F6ED5BE2AF75
                                                                                                                                                                                                                                        SHA1:6F4A95B2EA3342D7B4D61C715C7FC076EB6A2DC0
                                                                                                                                                                                                                                        SHA-256:C35A8B8AF7ECCB9BA68B129FF7F46EB1279229D637049F40761A697E9DFCD5A4
                                                                                                                                                                                                                                        SHA-512:0F77B35AC34C8E4655F7F1F4EBF1A86AA11F96C689E632DA8BE8A17CC69A9292878E0058DD9EA5FF7315DCDD8B34489F06E6DCBB365569E3BB80E81373792FC0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUv:Wm
                                                                                                                                                                                                                                        MD5:27AD88A291FC97D97FD773334DE4E487
                                                                                                                                                                                                                                        SHA1:04B5DB46F05E02E2EC94B8A0A3447EA41FA4089D
                                                                                                                                                                                                                                        SHA-256:4E7F8923223CB32E5D376EBC0C5361DD97DB201848590C4877D586723142B49F
                                                                                                                                                                                                                                        SHA-512:5B21A87E19D4E3D7A14DC05C815B8D06500695360AAD1F54D2D3713CF05F646E9E7D559551BFE2CC2CDEBCE29A1991BC80AB2B11DDF79A4033897B34DCA40521
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=17.14

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):93232
                                                                                                                                                                                                                                        Entropy (8bit):6.196023578677744
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:5Svbne0Q41qJ3n8JMW+0KcBLQhZV5M+5Nn0komH7yAfRS7Hxh:5S8UMW+BV5M+5Nn0kom/RSz
                                                                                                                                                                                                                                        MD5:BD539D820C8163E9E86E59B99ADEDD22
                                                                                                                                                                                                                                        SHA1:FF367525BA06F8B9E611A82CFD57411BA4FBD1FE
                                                                                                                                                                                                                                        SHA-256:04C547E06CA956DB2B929CC2B6B695A649FF0F82C52E56F2677A887E7D9616DE
                                                                                                                                                                                                                                        SHA-512:FEBB46D70A5466C85087BD4E42FBA81682CF398739F7EFEF43982C830CCFD6FCEC4613F0B5542951A463161C891EE9F378CD4D2B15B1659DCBC0E15A34BA677F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c.........." ..0..:..........^X... ...`....... ...............................F....`..................................X..O....`..8............D..0(...........V............................................... ............... ..H............text...d8... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@X......H.......|f..X............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tM...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960415778826794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:fBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUs:fBA/ZTvQD0XY0AJBSjRlXP36RMGx
                                                                                                                                                                                                                                        MD5:3DDA2732842FCAEEA0477F18D85CB584
                                                                                                                                                                                                                                        SHA1:D70016DF3F407CFE1BE6ACF63CC80A2B40F8212B
                                                                                                                                                                                                                                        SHA-256:EF3F8313AD94CFB9C2E8C95B54433F112918A0542C341763B19C0B2C6914A71D
                                                                                                                                                                                                                                        SHA-512:3403842EA1DF9F314EFF6E78F36F215A4E371B01B1C83345B7745737FABB092BDCFE63F78A29FB5FAD14825DA1C7AC286CC8BCA02B0FC3056620FE268D4FE6F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......Ee....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):833993
                                                                                                                                                                                                                                        Entropy (8bit):7.999644881255343
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:peRqTiLR3omp/AAzr5nxL2CP+sZ4tgMfQo:p8nLR4WYA72CPPoKo
                                                                                                                                                                                                                                        MD5:9B1F97A41BFB95F148868B49460D9D04
                                                                                                                                                                                                                                        SHA1:768031D5E877E347A249DFDEAB7C725DF941324B
                                                                                                                                                                                                                                        SHA-256:09491858D849212847E4718D6CC8F2B1BC3CAA671CEB165CF522290B960262E4
                                                                                                                                                                                                                                        SHA-512:9C8929A78CB459F519ACE48DB494D710EFD588A19A7DBEA84F46D02563CC9615DB8AA78A020F08ECA6FA2B99473D15C8192A513B4DF8073AEF595040D8962AE4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....;9rX.9..........9...AgentPackageInternalPoller/AgentPackageInternalPoller.exe....0Z.......U........ee..Th8.............t.v.g....g......M.........c..K.`|.'1.W.g.;.W+.e.....D.."|...]-:.To.:.`B(.E{.T.?..z...&.....g.....1.,km8.....Y......WZm;..!.....k.....iA...~.zK..EW'.....p.A....Q6.~S......A.......6....h=C3N0y.$i....M...N....C......I.....UCp.p....x..WQ!.p..>.'N%.2Z.l.R8./...%Ew..T..yy.....q...U.nqH......".......n.6M..P.:t...t1..r...!9Z.N.X.s8.3.9V.a...m8....LpWS..O.8..R6..O.l....e|(..F...Og.h.0..,..Z.H....Rl..L.N.9.\...."4..%..A.<."..Iy...:..GBw_1......3.y.p...a...*...l..._.FI.Z.....+.L.....]Y.K|RM.Pf..in.........93+2.QMH.t......<...3.. ....2..!....t..)).I\.qw1.'..J...J3".K'rt.h.f+.I.7...q.MK......V.._!Q.].w..au.[.brv.T&..Lfm./..J.$.m...... t.u..uQ...L...\...M.Ihp.rG.J..C".....d.....;z..d....L.p.r.c7....q[2.e.........!(....Ld.....M..9...M....>EN&dY.]....>QUJ..N.+d.cr..].D.o.........?o.~@....@..D[...5.C.eP.a.....;..:.._v.....R

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219696
                                                                                                                                                                                                                                        Entropy (8bit):5.943430076853408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:It3Mf3ZwYUPEpbPwygJQetg0+BpU3I0toxhGf:2MfJPpjYN8hI
                                                                                                                                                                                                                                        MD5:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        SHA1:AFC25CF6A7A90F908C0A77F2519744F75B3140D4
                                                                                                                                                                                                                                        SHA-256:9D4727352BF6D1CCA9CBA16953EBD1BE360B9DF570FD7BA022172780179C251E
                                                                                                                                                                                                                                        SHA-512:33BD2B21DB275DC8411DA6A1C78EFFA6F43B34AFD2F57959E2931AA966EDEA46C78D7B11729955879889CBE8B81A8E3FB9D3F7E4988E3B7F309CBD1037E0DC02
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..e.........."...0..&..........:D... ...`....@.. ..............................h)....`..................................C..O....`..d............2..0(...........B............................................... ............... ..H............text....$... ...&.................. ..`.rsrc...d....`.......(..............@..@.reloc...............0..............@..B.................D......H........@..$.......f.....................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ...x )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o.....%..{.......%q.........-.&.+.......o.....(....*..{....*..{ ...*..{!...*r.(......}......} .....}!...*..0..Y........u........L.,G(.....{.....{....o....,/(.....{ ....{ ...o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXWp:WBc
                                                                                                                                                                                                                                        MD5:DFDD2EB77BBB74518BAD98519A857D41
                                                                                                                                                                                                                                        SHA1:5F4F91D73EA620CDF0E5AC458E80B71412B1BB9F
                                                                                                                                                                                                                                        SHA-256:7655078305CC5B4F62569EF9868E1B04FCC491D33FDAD1F8E4610C038BCBAC8D
                                                                                                                                                                                                                                        SHA-512:481CDA97C03294EBAB036F99727828983C8D0E4C137AF05FDEA7FD296D11378904BACCE2D58D44F932A0BF7F2A30A9B44F4CBC05E253F132B1EF641F648C8DF0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=23.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):52272
                                                                                                                                                                                                                                        Entropy (8bit):6.300719339270839
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:5i8fXCGsSVh/2ixXxKFArYCJdshn9xvlOaEpYinAMxCuMr:5FaM2gS1y2F9Ob7HxCr
                                                                                                                                                                                                                                        MD5:9467F653980C1C37E4C64811BA27C976
                                                                                                                                                                                                                                        SHA1:68130FABBB50EAF5CFE2C355BA13B303DD373FB6
                                                                                                                                                                                                                                        SHA-256:821847799A2B7B3A6EC20BA61388AC87707D9C6865BD904A44DE5B033BD2EF29
                                                                                                                                                                                                                                        SHA-512:E72B7802256053589D889B2B7E74A2B53F328289A12CC0D4930D66410D00585C67B2C434512473CD2E74C8F2CB7685C2C34FCFC3DBA4A52399532CEB04153597
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ..............................t.....`.................................2...O.......................0(..........@...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................f.......H...........x.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{ ...*"..} ...*..{!...*"..}!...*..{"...*"..}"...*..{#...*"..}#...*..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96816
                                                                                                                                                                                                                                        Entropy (8bit):6.1801131806578455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvC7Hxwx:hQUm2H5KTfOLgxFJjE50vksVUfPvCI
                                                                                                                                                                                                                                        MD5:F1B2303DD7E152BA70F3537EDB2E9638
                                                                                                                                                                                                                                        SHA1:7E359D4B9011449DABB7F8236F14851A346B5028
                                                                                                                                                                                                                                        SHA-256:8EE8B304339B6F87E79B117F605375AFFFCBABA290A1B41BB6B3C1A40E46767C
                                                                                                                                                                                                                                        SHA-512:A4DD48F1AFF528DADF9974ADA1740CE785823FB584F55191D008158FCFB11F9ADAD8EFF992B8FF761058706C1717E28FBC9C337CF39D4EE4FFAA529501CB3188
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................l.....`.................................(f..O.......8............R..0(...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19
                                                                                                                                                                                                                                        Entropy (8bit):3.0503018554349826
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:LvMVnKVSn:QVOSn
                                                                                                                                                                                                                                        MD5:965D9DD203CBA16D53D3042E273D47EA
                                                                                                                                                                                                                                        SHA1:648753EB2683D6C6906FD58CBD8D912B6D0D7E0C
                                                                                                                                                                                                                                        SHA-256:EA4865AD011F808B4ABD9CF55B2BEE7F1C2DE331789597D48C337F439189D436
                                                                                                                                                                                                                                        SHA-512:AE7D089AD23975811F8B6CAA9F90560BD18A99C66C640EE998FAD010CBF9E6CB68C00F6E96EAE538AD1AAA9D470964C7E338CAD0A56EA7DBB8CF7ABF3DA4AEB0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:17/12/2024 04:32:07

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):499760
                                                                                                                                                                                                                                        Entropy (8bit):6.056862695710082
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:HXv781Hpx+GfCdLr/jd9yyeEAHweiPofdyz7qd352SW8CdykAfqO:/76BfC5avfdyvc2SN
                                                                                                                                                                                                                                        MD5:3CE7E73DB6F575A0D382DDAA8E1A3C10
                                                                                                                                                                                                                                        SHA1:031C13652C540CA7F798D141D7C3333FB1C71618
                                                                                                                                                                                                                                        SHA-256:692185C37DB7505250E58CC55D6707FCB099315A7FF319A9CC92FD99C5F0EEA7
                                                                                                                                                                                                                                        SHA-512:5270E772613864BD223F31F89CFA500E56E7863967C58C503F92E193AF8C8CAF934B7755868EC21585A38E8D6D186A2DC5528A805A62A0BFA56B59E6506BFF81
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....,..........." ..0..p............... ........... ....................................`.................................?...O....................x..0(..........t...T............................................ ............... ..H............text....n... ...p.................. ..`.rsrc................r..............@..@.reloc...............v..............@..B................s.......H.......(d...(...........................................................{J...*..{K...*V.(L.....}J.....}K...*...0..A........u;.......4.,/(M....{J....{J...oN...,.(O....{K....{K...oP...*.*.*. 8..z )UU.Z(M....{J...oQ...X )UU.Z(O....{K...oR...X*...0..b........r...p......%..{J......%q>....>...-.&.+...>...oS....%..{K......%q?....?...-.&.+...?...oS....(T...*2.(U...oV...*..-.rE..psW...z.(U....oX...oV...*:...(....(Y...*:...(....(Y...*N..{Z....o...+(Y...*z.{[....{Z....{\....s]...(^...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960733432365752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUk:bBjk38WuBcAbwoA/BkjSHXP36RMGt
                                                                                                                                                                                                                                        MD5:2A9525F27730CBF9E7145AADE4CDA830
                                                                                                                                                                                                                                        SHA1:A6A99E02599656DE1C7F51B02C84BBA8AAE0346D
                                                                                                                                                                                                                                        SHA-256:29D0073080509DB7F3F20C47980A1347CC4139C5F2E26C9C160AE67CE5EECB6E
                                                                                                                                                                                                                                        SHA-512:DDDEEC7AA9D3F9E6187718564AE1A447FCAB12EC2DCBD26EDD87217B4815C274A6BAF90A027766FCC94815C762ED9BFA8D0DEF6C1B2F84279DED9C66852D381E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ...... .....`....................................O.......................0(.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190626027944278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:rSOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYA:suQlBAMW0BvltxZ6B
                                                                                                                                                                                                                                        MD5:4ECF017FD71CC84A4CBAB7507B8634BE
                                                                                                                                                                                                                                        SHA1:2343F37490F9A11F5F0878A1553F0FAF504FE062
                                                                                                                                                                                                                                        SHA-256:871D9403D045F94FC433907E49B68894764FCAF81E12FBDE2AC7A08642DDA32C
                                                                                                                                                                                                                                        SHA-512:5FCB9BDA9C857BA1AD2EC0B19AD109AC54BAC91B8F8F00968560623C8AFD01FAEE1078F7C76010C7526A37C46EE0DB74A0E0DB151186F8FB220105F7091FA69B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................>.....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):149552
                                                                                                                                                                                                                                        Entropy (8bit):6.059724018456156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:o/S+nps5/3oat9QrwQmUgs0giOBDQntBBGBBKBUkBBXBBgBBFBUABU1BB0BBBBgB:o/S+nps5/3f9Qrdd5EtBBGBBKBUkBBXh
                                                                                                                                                                                                                                        MD5:2FF31980FD256EF1B1E143D4699BB727
                                                                                                                                                                                                                                        SHA1:608A21DA2B243E63DAD9E36EE84BC38C921F8E77
                                                                                                                                                                                                                                        SHA-256:F34AD6FB7847A85ADBE1492C783233A8A32BB5E96972FA3738538CE20513F682
                                                                                                                                                                                                                                        SHA-512:2FEF83A7668D190297863592FBBC8E766042067138C3A163771CDCF1FB284BC8162EA6B7B958CB076B6AB654216B855324AE292F78931C47EDC33B52376943AD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...:.R..........." ..0..............3... ...@....... ...............................5....`..................................2..O....@............... ..0(...`.......1..T............................................ ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................2......H.......H....1..................81.......................................0..S........-.r...ps!...zs".....o#.....g...%.. .o$......+......(%...,...o&.....X....i2..o'...*..0...........-.r...ps!...zs".....s(.....~o...%-.&~n.........s)...%.o...(...+o+....+X.o,.....(-...-.r...pr...ps....z..o/...&.o0....3(.o1... ....(2.....(3...,....o&.....o4....o5...-....,..o6.....o0...,.rK..pr...ps....z.o'...*.......F.d.......z.-.r...ps!...z.(7....-. o8...*..0..U........-.r...ps!...zs9........+ ..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.334370226233819
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCw:BnvXYcIh6yFIFBYpc47Hxn
                                                                                                                                                                                                                                        MD5:A964D6B5F323E343E884A1E4EBBA21A3
                                                                                                                                                                                                                                        SHA1:41FEA32C2FCC56070CF904AB441019F963C83ED5
                                                                                                                                                                                                                                        SHA-256:0214D2C78CC1DBE92853305FA12119BBE09EA06B5EB9C4B4E7AD76B6FAF232ED
                                                                                                                                                                                                                                        SHA-512:3E93C094D3B9D77BAE9C1725B452743FDFA0A20EB07FFC50EA861C501821710A2C29197CF43DCEC1BF089A5BC9B8F2BF57F9FD0EC8D9805D00E32538D03CD46C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955083228632948
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:R784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRX:R7N1r9KGI04CCARLX
                                                                                                                                                                                                                                        MD5:FA432B69828C0F175E44B367AF91ED2D
                                                                                                                                                                                                                                        SHA1:C0E72D5C64E9B560311EBD1EC3A35CED46386C78
                                                                                                                                                                                                                                        SHA-256:6718AFA55EF89805B69360C9E88347A39CC302AB3C16590E78136C20DB025613
                                                                                                                                                                                                                                        SHA-512:E0C54D9126C557C24013486A31D5477EFF2B800ADAE472C3103EE1F1CD527546E6DCEFB19D5DCE602AEE6DA7A0290F413CE2C6C09DF28D4333C4E62510FE2064
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):639
                                                                                                                                                                                                                                        Entropy (8bit):4.786596756493731
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:QrWHIytXE6rWHIy6XEOMrDzk2RD4ECuZDk2hsQgQPcqvtqr6QPcvyQvCr6QPcvyX:QKJtXlKJW0/RD4Ei0sQXcqvQ1cvDvC1V
                                                                                                                                                                                                                                        MD5:1B5AFB85B014819DA4718A6B2E151E89
                                                                                                                                                                                                                                        SHA1:83791DF04097427B761B3FCAE7879599B87E7A2E
                                                                                                                                                                                                                                        SHA-256:E0FADF1409D07346C5313A393208059352AE340805168C4178E1796DCB3F62F7
                                                                                                                                                                                                                                        SHA-512:CE0DA159B43EA5A68C267131431E11703444B13D9B55B322A632A85DE283E8CD9D10E2C495E44A62B1CB2F3906F154FEBAA8364A52F3A30AEDB6D2567052CE4A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:17/12/2024 04:32:03 In Program static constructor, before instantiating _logger17/12/2024 04:32:03 In Program static constructor, after instantiating _logger without using _logger17/12/2024 04:32:04 Starting Main(), logging without using _logger..17/12/2024 04:32:04.251 am: Info: Before PollAll() call written at: 17/12/2024 04:32:04..17/12/2024 04:32:07.688 am: Info: In PollAll() before Poller.PollAll(false) written at: 17/12/2024 04:32:07..17/12/2024 04:32:07.704 am: Info: In PollAll() after Poller.PollAll(false) written at: 17/12/2024 04:32:07..17/12/2024 04:32:07.704 am: Info: After PollAll() call written at: 17/12/2024 04:32:07

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1246506
                                                                                                                                                                                                                                        Entropy (8bit):7.999702247108497
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:24576:Ony3ipTOpSfZauTZ0OH58yGrxiVj3WqHvYfUmanGGJFE:OnaSOpGoud0OHGliZWqH3bn/E
                                                                                                                                                                                                                                        MD5:E74D2A16DA1DDB7F9C54F72B8A25897C
                                                                                                                                                                                                                                        SHA1:32379AF2DC1C1CB998DC81270B7D6BE054F7C1A0
                                                                                                                                                                                                                                        SHA-256:A0C2F9479B5E3DA9D7A213EBC59F1DD983881F4FC47A646FFC0A191E07966F46
                                                                                                                                                                                                                                        SHA-512:52B8DE90DC9CA41388EDC9AE637D5B4CE5C872538C87CC3E7D45EDCF8EFF78B0F5743AB4927490ABDA1CFF38F2A19983B7CCC0FE3F854B0EACCA9C9CE28EDA75
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....=O(Y..>.........3...AgentPackageMarketplace/AgentPackageMarketplace.exe....0.......>N......V.^.'....l....f.u*-Dl._.>.u.S.Pl-6.;...].#.S.X..7./...."...Z.....M.$`.,..{....v...B.Q.M7.j4.'.C.G`<s.X.%.....,...<bdR....N....!.$J@.k...55....>1..(P&..-.#p.NwuV=Wb...a....-....q.!.s.LH..(...:..#7...L.7.$6.C.uy....&I.r..e...,w0o.....`.....[.{cg=]..IBiQq.`.X.D.h.......G./..NA.....46....w.....b9rp.J.C*.2.F.....G...~..q.x....u......l..I..b..z..w..v.d!./..U.Y^..J..k<kUo:.n:.W......g$..<.X.>....rQ.5JiJ.+..|.p......C......o/...K......T.....+9..z.."..Yd.f..&.B..QWu.-.@...c4.T.^...#.E...v...B..\.x0..{..."|.a.?.y.......-..W.........8nk.).$sf.2].c>...`....=...0..$.bp...Oh....8x.-.%N/...w.........i....a.QX0.k..k..f..D.vl.f.Q..3....]....$.4..k..y.../...'...a..C.x...@..".8....9...;..&j..G#f......).....l......Y..7.c....PJ...X...^)s[...{.......Jr.Q..+....N.F.I...%OS...=.......5......i....h..(....r..T-ir.=.+.'..'.......r...[..J...l.P....[.q...,.To..h.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):37936
                                                                                                                                                                                                                                        Entropy (8bit):6.42035670242574
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:GlK72yzFcoUzzxYeHTxwx6/ufD/EpYinAMxCoG:3e9YeHVwYe47Hx6
                                                                                                                                                                                                                                        MD5:EFB4712C8713CB05EB7FE7D87A83A55A
                                                                                                                                                                                                                                        SHA1:C94D106BBA77AECF88540807DA89349B50EA5AE7
                                                                                                                                                                                                                                        SHA-256:30271D8A49C2547AB63A80BC170F42E9F240CF359A844B10BC91340444678E75
                                                                                                                                                                                                                                        SHA-512:3594955AD79A07F75C697229B0DE30C60C2C7372B5A94186A705159A25D2E233E398B9E2DC846B8B47E295DCDDD1765A8287B13456C0A3B3C4E296409A428EF8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...!............."...0..`............... ........@.. ..............................P.....`.................................Q...O....................l..0(...........~..8............................................ ............... ..H............text...._... ...`.................. ..`.rsrc................b..............@..@.reloc...............j..............@..B........................H....... 5...I...........................................................0..H........(......}......}......~D...%-.&~C.....j...s....%.D...(...+}.......}....*.0.._........{....-.r...ps....z.{....o.....i./2.{....r+..pr...p.{....o....(....(....o.............{....o........:...%.. ..o...........i.0..+......{.....o....-2.{....r...pr...p.{....o....(....(....o............{.....o.....o....o .....-.....ws....%.{....o!...o"...%.{....o#...o$...%.o.......E...{....%-.&.+.(....%-.&.+..(...+

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1295
                                                                                                                                                                                                                                        Entropy (8bit):5.018953579697613
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/BLVv+13vH2/nVQ7uH2/FV0PH2/+w39y:3Ar+z7O7Rgdp+1/gnSagFsg+w3w
                                                                                                                                                                                                                                        MD5:843D2196B96E53ABCAE6F4C243D1A7A6
                                                                                                                                                                                                                                        SHA1:EB28441616660FD53653999595A3309961AA9A54
                                                                                                                                                                                                                                        SHA-256:175C1EBF4B5C56563944E65C9E8AE4595730155D69854499DB638E82E16DF056
                                                                                                                                                                                                                                        SHA-512:2C24DA122963E1BF533FD8A5C841C9BCD86442E0E49D3BE379FBB21AA607FDC6C7D30BA5573615416D55538429652BF1108D88EC8267FDC5D8C8F9ECAF11D0A1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-12.0.0.0" newVersion="12.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):11
                                                                                                                                                                                                                                        Entropy (8bit):3.459431618637298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhUnn:Wu
                                                                                                                                                                                                                                        MD5:5EDA46A55C61B07029E7202F8CF1781C
                                                                                                                                                                                                                                        SHA1:862EE76FC1E20A9CC7BC1920309AA67DE42F22D0
                                                                                                                                                                                                                                        SHA-256:12BF7EB46CB4CB90FAE054C798B8FD527F42A5EFC8D7833BB4F68414E2383442
                                                                                                                                                                                                                                        SHA-512:4CF17D20064BE9475E45D5F46B4A3400CDB8180E5E375ECAC8145D18B34C8FCA24432A06AEEC937F5BEDC7C176F4EE29F4978530BE20EDBD7FED38966FE989D6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=1.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190700491174632
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87HxBg:h2bYbYSWd85I5sSakFQhHL8/g
                                                                                                                                                                                                                                        MD5:266A4736FE6DFEADBC40C66AF39D3871
                                                                                                                                                                                                                                        SHA1:D090E63810691F78F760E55640B81958BC715183
                                                                                                                                                                                                                                        SHA-256:4D6091013BF285AF05D901BA130E86D8CEFDB4E387540C3814929C1277C2DDF8
                                                                                                                                                                                                                                        SHA-512:AB43966CEFC08A8FE9B7A1787948F55A73B243CA6DE7259FD42E5BD4ABAE61D562C9642770708BA38AB6118D3755741529ED51E7DB2A8A811BE8B876F2922A8B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.998846079851237
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:GiLY8I1pq2jBTn9kbf0KNGVIYMcoS1JkEX5g7Hxlv:LZ0PMcjrgv
                                                                                                                                                                                                                                        MD5:C6339BD38794C9EB831004955DE64D16
                                                                                                                                                                                                                                        SHA1:EAE04876F94347538735F853B7F14778CB75180F
                                                                                                                                                                                                                                        SHA-256:855D0323807390D8F499355D0030685FBD6DC6939218A15059CB3E9C744AB1A4
                                                                                                                                                                                                                                        SHA-512:F62F76F305285F1C206AEFB8418E48BD2074DEC768C16986353305F34D17524E9A9AEA29AAE11B0D927247161F21039933B3EA68F2BC7F40623B471E123B33F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..B..........R`... ........... ...............................+....`.................................._..O....................L..0(..........(_..8............................................ ............... ..H............text...X@... ...B.................. ..`.rsrc................D..............@..@.reloc...............J..............@..B................3`......H........h................................................................(......}......}.......}.......}........o=...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po!...o....*..{....o0...r...p.(....(....o&...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408406581403349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hQMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyMmEpYinAMxCl5E:h9MYn1seLE8JFMLcyMH7Hx+E
                                                                                                                                                                                                                                        MD5:7F8418A330DA75F653CC1A50F0B91175
                                                                                                                                                                                                                                        SHA1:7448DCCCDB8FBB1CC827FFE4861C7BD529EE85F5
                                                                                                                                                                                                                                        SHA-256:BF780EB84424039CAB84C818D21A402369EC1BDC9136E1CDBB60486343A07723
                                                                                                                                                                                                                                        SHA-512:3CAC7066B3F210D826383CA000CDC581C0CA193800C97F2F34C6139BB4880A12A485604344EF22BADFD4609F2A0E7645E81DECFA8C5BF8C6DF4406BFEE6DBFDA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............0(..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.1536791121281995
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:4r/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvYyD:4hpp9xxIBeXGfvYyD
                                                                                                                                                                                                                                        MD5:697D8BC281B58B1FCEEC721B9BC01059
                                                                                                                                                                                                                                        SHA1:DA468B41FDADE096896B6835645DEFF110F438F5
                                                                                                                                                                                                                                        SHA-256:82C4EFE948B812C844DE4950130C292CDC49EDA42F447E17DE6CC451A1F5135E
                                                                                                                                                                                                                                        SHA-512:95877A2E690E083B256F71E376BE757FA0D329A6AAEC193461D325C63867BCE9E72A648EDB17A8817198C5224853541C65F664A6FFB966AE35D9E558F681EF46
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ...................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):702512
                                                                                                                                                                                                                                        Entropy (8bit):5.943194897994663
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3f9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cH3:vXNL2PVh6B+BzjmcX
                                                                                                                                                                                                                                        MD5:F78DB2C6B247E0FFC215A44AE88178D8
                                                                                                                                                                                                                                        SHA1:12FB14AE1CF731115F07076AD939A2ACC57A9920
                                                                                                                                                                                                                                        SHA-256:1DFF434970F52326AA5E0C1164AB76A771A1EE651E37166DF8A3BC3F06204746
                                                                                                                                                                                                                                        SHA-512:AF3F67FA56CA89111E389DE17F9030D979827E8B60AF86E991115B07759D6DADA1B74ED870B5163474192BF58A5FA69EBFB03DFCF087EB88E1E72EC26BB578CB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................0(..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3585766
                                                                                                                                                                                                                                        Entropy (8bit):7.9999279847863685
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:XOzuWD7XM4OvRQW56YWuCrMXa7ANNBvlXWKCI:XauWD7cjGKWuyOr
                                                                                                                                                                                                                                        MD5:E010D1F614B1A830482D3DF4BA056F24
                                                                                                                                                                                                                                        SHA1:5873E22B8C51A808C06A3BBF425FCF02B2A80328
                                                                                                                                                                                                                                        SHA-256:98A98DD1DF25D31A01D47EAF4FA65D5F88BC0AD166F8F31D68F2994B4F739A9B
                                                                                                                                                                                                                                        SHA-512:727877929530E08062611868FD751D1B64E4C7D28C26B70F14C7CD942B1AE1579CBA2A2EF038BAD07032EF728AE277963FFB3E1AB7A5C28351326FABAD84DAA6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......6>Y.^.S........1...AgentPackageMonitoring/AgentPackageMonitoring.exe....0........p........_L........v.w.../.E..l1.=.8..F.....|..%J.....QB..+.C#.(...Y..*FC.j./.?..#WJ.T......3.P....7^p5.g.`.. .m.h..U..(\.OlC.U...,...l~..Noh.q....Ai.'.EuZ..!z..5w4..&..4..b.__...7u..^.Wv.1.:.|....}..I....F..W..Ko]_j.mk..v..-....CW.....%x....&...o.:I.~.C..#%S..U...f$..n.........WE.....>...d...._M.|....(..?..i. Z.d......{..C.P....57.QR...._iN...r.t..IG..tFs..r.%..b.I.C......`Dd..8U.h..T.C..q....7.i.L..S!m"..).s."..H....W..b....X.l.C..'..#M....gB}k4..{K.&..s.<.^..Q....Q..c..&..BO..W.".\...!.CR..,o<.X>....,.-.[.^1H^r.)q. L..#.?...0..j.,r.`#..Rq"K/.B.:.....V...hX_..ja.........[.)&....C...../../......IZ2..v .@G...*F....nf. .@w.9o.,.....X.i.K/.}\!..7.a.w....:.x.$gE..DG..V...t...K...M.$...b..{.u.4..1..]."..o.n8dQ<...q.....d.(..Y...U...../n.....*y+..%.+.D.}W.&&.U.Z...c#.mU(.......d(.......x....r".g/O.....5..|(p..XG...'7].3.A.Y.&.&D$.".|...D..d\.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398384
                                                                                                                                                                                                                                        Entropy (8bit):6.2554691460003795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:OLrnDNjiDx+xdShTv/51LtpYbgPuXhN2sHY:OLcDx+72/51+cuXhN2Z
                                                                                                                                                                                                                                        MD5:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        SHA1:11AE92FD16AC87F6AB755911E85E263253C16516
                                                                                                                                                                                                                                        SHA-256:01F464FBB9B0BFD0E16D4AD6C5DE80F7AAD0F126E084D7F41FEF36BE6EC2FC8E
                                                                                                                                                                                                                                        SHA-512:540D6B3CA9C01E3E09673601514AF701A41E7D024070DE1257249C3C077AC53852BD04AB4AC928A38C9C84F423A6A3A89AB0676501A9EDC28F95DE83818FB699
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..../............"...0.............2.... ........@.. .......................@......<.....`.....................................O.......(...............0(... ......0...8............................................ ............... ..H............text........ ...................... ..`.rsrc...(...........................@..@.reloc....... ......................@..B........................H........0..d.............................................................{'...*..{(...*..{)...*r.(*.....}'.....}(.....})...*....0..Y........u........L.,G(+....{'....{'...o,...,/(-....{(....{(...o....,.(/....{)....{)...o0...*.*.*....0..K....... bHQ. )UU.Z(+....{'...o1...X )UU.Z(-....{(...o2...X )UU.Z(/....{)...o3...X*..0...........r...p......%..{'......%q.........-.&.+.......o4....%..{(......%q.........-.&.+.......o4....%..{)......%q.........-.&.+.......o4....(5...*..{6...*:.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1459
                                                                                                                                                                                                                                        Entropy (8bit):5.033662307409642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dErdGPF7Nv+13vH2/nVhOXrRH2/d9XF7N0PH2/+w39XF7NQ7uH2/F9y:cErU7h+1/gn27Rgdz7Eg+w3z76agFw
                                                                                                                                                                                                                                        MD5:C6ECF24757926EBA64E674BFF8B747D1
                                                                                                                                                                                                                                        SHA1:3A46083826C20E8E085C42BBFDFEEF4F9E2B90D9
                                                                                                                                                                                                                                        SHA-256:C3EC04142C15B0A237E72CE1C3C85D19CD1231B9824F7A9854E7909A74B7BECC
                                                                                                                                                                                                                                        SHA-512:EFABB9883ADB098A90115E8938C92B76BBB8D2EB5DE170ECFA205EE949A2D722E0F97F6E01F9A71AC8B5FA2108B9FF82FA0171759D50E30D0AB5FC1948BDCE15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.9.1.0" newVersion="2.9.1.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWQn:WZn
                                                                                                                                                                                                                                        MD5:5796D1F96BB31A9D07F4DB8AE9F0DDB3
                                                                                                                                                                                                                                        SHA1:93012724E6CC0A298838AEDE678806E6C0C6517D
                                                                                                                                                                                                                                        SHA-256:A90D255CCE3B419641FA0B9BA74D4DA464E0CE70638A9C2EBA03D6B34FCA1DC4
                                                                                                                                                                                                                                        SHA-512:890112DDCB3B92B739C0DD06721EFA81926CE3AAB04C55CDADB8C4E6B7A28C9796F08F508249DB189547DC4755804AA80CC8B104DD65C813A0450AAD2CDDA21C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=37.8

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102448
                                                                                                                                                                                                                                        Entropy (8bit):6.190879178656762
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OL87Hxm:g2bYbYSWd85I5sSakFQhHL8g
                                                                                                                                                                                                                                        MD5:A86884A9A1C75604B2114E09B738FCF9
                                                                                                                                                                                                                                        SHA1:A82B444BF09CFCAE36F532C4EB4B8C5EF0933F6A
                                                                                                                                                                                                                                        SHA-256:EEF751E3B01C4071A1BA34E96B663E93631C51485AF31055C3EB2F75866F9FEC
                                                                                                                                                                                                                                        SHA-512:4B97A3D4C37129440816D0524CDB1C485AE68B6C6735857C157D7EA76ADD91241B7185C831C646713CFB4DFB3EC95E577F98088D08ACBB0313837CA584474299
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ....................................`.................................`}..O.......8............h..0(..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95280
                                                                                                                                                                                                                                        Entropy (8bit):5.997149012234495
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:S4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkj87Hxsfn:S4auS7S5Ea6WMcpu8Mn
                                                                                                                                                                                                                                        MD5:0E5155ECBE5A1797644F1610DAA15583
                                                                                                                                                                                                                                        SHA1:89677E0F9443D52C73D4E0B91C5AEE5215EC4E88
                                                                                                                                                                                                                                        SHA-256:9BAF23C814DD100B2AC9511C9A2E5302DEE1FFB1807DEA021E1D317BA36901CA
                                                                                                                                                                                                                                        SHA-512:3F80A871547BDF47F0A5B58F54B9597D0894580FCEE8F53DD08C8A80658697FA9C9426AB8D47A40B0CDCF53D11769C654D26A3B530AD39A3A6E37D468CA309D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ..............................d.....`..................................`..O.......4............L..0(..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75312
                                                                                                                                                                                                                                        Entropy (8bit):6.240342116807372
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:bu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:iF+qo7mDEwj4NXLGcfgruFcg7HxRM7
                                                                                                                                                                                                                                        MD5:F64746D633211D129AEC5DB988BCC9B1
                                                                                                                                                                                                                                        SHA1:78E7047265B0DF15C54FE84261D2A0B3568FEF31
                                                                                                                                                                                                                                        SHA-256:9EC285FDB857D5618FBD794464135BC56823B08146EA41F24FCEC3135F0E1C0B
                                                                                                                                                                                                                                        SHA-512:31BCE8F3DC415F562354044BA490A9252E6C20CAA38D5162AB3929111566BCA7E97D609EACAC4712E814AA8AACFCB7B32360E4F6EE5521D6223DCC4617A5614F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................0(...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.408313907878965
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:RQMnMYPWMXMwtKsSdj3xn91SPSvwzE8Kku6P3A+wf+bMEpYinAMxCk15:R9MYPJS/16/E8/3A+++bF7Hx315
                                                                                                                                                                                                                                        MD5:1CAB625AAF9CBCAB46B1455BCA45EF4C
                                                                                                                                                                                                                                        SHA1:274A3B9134AA4530110F29C1858A85D86D4A396D
                                                                                                                                                                                                                                        SHA-256:1CB4C57049F47E3EEFB1C2BAB2BA34A17ABDA610DC3D4D331A9B33B40B00307F
                                                                                                                                                                                                                                        SHA-512:BF4A53BFB9DCF13C87ED6E79640371908C73E7D67765B724C509B4EB7F3F66962F0883094640497CCD2FFCD255D1E46A50B33850E8B0B2D1CC684D40DE24F5D7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D............." ..0.............b.... ........... ....................................`.....................................O.......4...............0(..........$...T............................................ ............... ..H............text...h.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................B.......H.......|E...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):155184
                                                                                                                                                                                                                                        Entropy (8bit):6.247374284901675
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:A0feG0EI+t80zE04kjSnY2QJ6lwZaBsEFmWF+YkY:1P80zukOltwW9
                                                                                                                                                                                                                                        MD5:12572F87CCF0E40406B3554A1A6D3905
                                                                                                                                                                                                                                        SHA1:C9E238EF065D38400D084265EE056B2ABB694224
                                                                                                                                                                                                                                        SHA-256:6FDB589EBADF91A869EAA3A850B0FB17A8AB96BED78422E28F7EFAF63BC040F9
                                                                                                                                                                                                                                        SHA-512:D397888AACB1B787662B1678A24E24DDFA7A42C5363AC673706934A1A42E13F5ED55956D478FAF0998C77891A64F5F26E85DCFA7FFC0A6AE87DF26B3C24C4314
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%%.W.........." ..0..............M... ...`....... ....................................@.................................lM..O....`...............6..0(..........4L............................................... ............... ..H............text....-... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B.................M......H.......d....G...........................................................0...........u....,..s....*.........*Z.(....u-...%-.&*o....*..{....*..{....*..{....*..{....*..{....*2.(....._...*2.(....._...*..{....*2.(....._...*...}......}......}.......}.......}.......}.......}....*>.........}....*..{....*...0...........o].....o^...(....%-.&+..o_....(....,...(....o`.....(....oa....(.......(b...,...(.......(c...od...+"(.......(b...,..(.......(c...od....(.......(e...,...(.......(f...og.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030878409231256
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:x1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7sA:YIzm6pOIgvr75
                                                                                                                                                                                                                                        MD5:44EBFB8CE52A4EFEDF07DA6875CA230E
                                                                                                                                                                                                                                        SHA1:824585DB12A35588F25C0CC5DA77EAEF94011CAD
                                                                                                                                                                                                                                        SHA-256:292F94823959CAFAAA77B81C0A490EA9ACF90B2553727BF3E74C1AE3A7F8AC01
                                                                                                                                                                                                                                        SHA-512:89DD6F5E827A9E23A8F7DBA8F89F55F2A01B290756AE7A6371A5934E9AFC6B3C5702DC0CADAB061405AEA4F2AC275902D8094E7A0ECDA29C8A438C6BCE46ABD0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ..............................`.....`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:JSON data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2
                                                                                                                                                                                                                                        Entropy (8bit):1.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:H:H
                                                                                                                                                                                                                                        MD5:99914B932BD37A50B983C5E7C90AE93B
                                                                                                                                                                                                                                        SHA1:BF21A9E8FBC5A3846FB05B4FA0859E0917B2202F
                                                                                                                                                                                                                                        SHA-256:44136FA355B3678A1146AD16F7E8649E94FB4FC21FE77E8310C060F61CAAFF8A
                                                                                                                                                                                                                                        SHA-512:27C74670ADB75075FAD058D5CEAF7B20C4E7786C83BAE8A32F626F9782AF34C9A33C2046EF60FD2A7878D378E29FEC851806BBD9A67878F3A9F1CDA4830763FD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:{}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):354352
                                                                                                                                                                                                                                        Entropy (8bit):6.153589479592355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:Qr/iEF3zTxesPlx5zIAUH+2n8G4smIkuxhnCq7a/ZmvY2:Qhpp9xxIBeXGfvY2
                                                                                                                                                                                                                                        MD5:53594510735A737A2B25AF4B396EFE8F
                                                                                                                                                                                                                                        SHA1:3F4664E88F44BBDCA29AFFB78D866A76ED128965
                                                                                                                                                                                                                                        SHA-256:DFBBDBA40745B2FCDEC5973D1BB0352DD8618996A6231411C48D87D11C63D07A
                                                                                                                                                                                                                                        SHA-512:D9EBC5B83D8727E596EA6A72C49F58C5CB2BC02EC24B432709BCAA7C1C49E267F85520315EF644EC75DC24E3A5D49F64292A295822B27EDEFF452F552D8B89AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j.Y..........." ..0..8..........nW... ...`....... ....................................`..................................W..O....`...............@..0(..........HV..8............................................ ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............>..............@..B................OW......H.......`...ht...................U........................................{*...*..{+...*V.(,.....}*.....}+...*...0..;........u......,/(-....{*....{*...o....,.(/....{+....{+...o0...*.*. S]G. )UU.Z(-....{*...o1...X )UU.Z(/....{+...o2...X*.0...........r...p......%..{*....................-.q.............-.&.+.......o3....%..{+....................-.q.............-.&.+.......o3....(4...*..{5...*..{6...*..{7...*..{8...*..(,.....}5.....}6.....}7......}8...*....0..k........u......,_(-

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883760
                                                                                                                                                                                                                                        Entropy (8bit):6.071511083932349
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:o1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQs:o1n1p9LdRN39aQZUq1
                                                                                                                                                                                                                                        MD5:286642CD396C5B6CADC906B112B493EE
                                                                                                                                                                                                                                        SHA1:CB625FDBD26798B3042BC5CFFD010F4E73CDAF1B
                                                                                                                                                                                                                                        SHA-256:004BF709595E808AE59558AE7510A40277B7E31D99A5580B0E07F136EAE09130
                                                                                                                                                                                                                                        SHA-512:49773E5AD432F893C559308DA144596CE1DFB967DB5FCFB1805528CC7535E70A181ED8801CAE43A47B58656C9925A236B06A4F2C67802A1A875A3DCE3C9002DD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..0(.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.960469418569573
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:2BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUD:2BA/ZTvQD0XY0AJBSjRlXP36RMG6
                                                                                                                                                                                                                                        MD5:B61A163EC8F1E6A3A3572A90BA23F7CB
                                                                                                                                                                                                                                        SHA1:467FBA9F1C171B58B76F4E9E24ABA1CE5C91D02F
                                                                                                                                                                                                                                        SHA-256:87DA900259BEA3BB65D984FB6FCD3134661E3EB0883EBF24981D50CA5D36F51A
                                                                                                                                                                                                                                        SHA-512:87EADB61D95EF67CEA0EC8CF15C2E285AFF8C92941ADB47DBCE6886796DE45B4940EFA803D2A9333FADD09473E1B1A34660042D12562FB07EAF4A59C401244CA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... .......n....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):293424
                                                                                                                                                                                                                                        Entropy (8bit):6.121629065121692
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:admT7N9hXNx16L/kakZieD2C6gVkRYKn6nUa9K+yB:adc7N/WkQHr64B
                                                                                                                                                                                                                                        MD5:3362FDB62A7980CA70C44B4DBDA5BE9B
                                                                                                                                                                                                                                        SHA1:77B328FD868E9BE19165C39B541E815BAD1FE13F
                                                                                                                                                                                                                                        SHA-256:A6B74A797384F89B692F2E1027A3F73B4FAD2A97914208158869A33068132A1C
                                                                                                                                                                                                                                        SHA-512:D0441E5C747707434C02A64E8FF3A49EDF33CFF2C9D22F2C22E8BDFEBC30A3CDF79B2ED96B8ABD819ECD042876BAA77C32E119EBB05BA0ECAC73DFE2BF971E86
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....:.d.........." ..0..H..........rb... ........... ..............................k.....`................................. b..O.......$............R..0(........................................................... ............... ..H............text....F... ...H.................. ..`.rsrc...$............J..............@..@.reloc...............P..............@..B................Tb......H.......\....V...........................................................0...........(......o......e...%.r...p.s....}......}......}.......}......{......e...%.r...p.s....o....r...po.... ....(.....|....(....-.."....}......{......e...%.r!..p.s....o........(....(....o.....(......(....-...}....*..}....*..{....*..{....*..0..a........{......W..}.....{....,..{.....o.....{.....{......e...%.r!..p.s....o.....{.......(....(....o....*..{....*....0..Z........{......P..}.....{....,..{.....o

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):277040
                                                                                                                                                                                                                                        Entropy (8bit):6.190725872261733
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ISOIleacQlBh2YQMoIBhpq01TLvlj9b6gRZNsRYl5:XuQlBAMW0BvltxZ66
                                                                                                                                                                                                                                        MD5:66C97A4217593113658977F5AEFC18D8
                                                                                                                                                                                                                                        SHA1:A7E4FF9BDB3800C1E93A0D521B53E344A10699FF
                                                                                                                                                                                                                                        SHA-256:9AD65CC593BFC60815124C6377A8F3EA4F031BCA01C688FB543B50A2B6418764
                                                                                                                                                                                                                                        SHA-512:D2A474718A38AA0EA738200D7584A5C21552DC76428176026C5509AE606FEA534F4AEABEDF93D5BAE5735754D82B2D93E4CFB67BCFEA9A435147D7BB4B1F0722
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0..............'... ...@....... ..............................?a....@..................................&..O....@..L...............0(...`.......%..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................&......H.......L[......................`%......................................^.{....,.(:...z..}.....*^.{....,.(:...z..}.....*"..(?...*"..(@...*...0..,.......sp......}........q...s7...sj....{.....(....*.0..-.......sr......}........s...s7....ss....{.....(....*....0..(.......st......}........u...s7.....{.....(....*.0..'.......sv......}........w...s7...sj.....(....*B...ss.....(....*......(....*.0..'.......sx......}........y...s7...sj.....(....*F...ss......(....*....0..Z..........}....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284208
                                                                                                                                                                                                                                        Entropy (8bit):6.117308680869445
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:QZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHe:Ggo0WPVTXg+
                                                                                                                                                                                                                                        MD5:A6D30251ED124D7656F523A7DF177D09
                                                                                                                                                                                                                                        SHA1:48092D267E067C1967B5ACF1AEBD9A18F0B91515
                                                                                                                                                                                                                                        SHA-256:EC81827B885C0B109AAA3882469BB41D26871274B2E39D3B227FBD18858BF6A3
                                                                                                                                                                                                                                        SHA-512:466809068B5813AC5531D9E5C76BA080A3A15B0D1AFF2A7187149CD5366D990DFD07DF1D51EEB8FCC656ED5C2D1C099AC32E0416F219FC38B64BD1A2351EE502
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ....................................`..................................B..O....`..D...............0(...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22064
                                                                                                                                                                                                                                        Entropy (8bit):6.677526036924594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:gy/fjFwUI/KQyVvKdDhG6ISDFWvYW8aoNyb8E9VF6IYinAM+oCOq9tH6:guhMaVmzDC67EpYinAMxCQ
                                                                                                                                                                                                                                        MD5:8F678B241B955CF86CF65136ADE90539
                                                                                                                                                                                                                                        SHA1:DFD92464B9C5D6822062721C7C3497CD30850CC4
                                                                                                                                                                                                                                        SHA-256:15F8EEDC717B18D1A43BB3295BE6787E0DF002C284A06A4B9198851BCCFEB7F2
                                                                                                                                                                                                                                        SHA-512:482E6E33F22D7DC68D075600E3C6131A0B563796E34BEBE6352BE8455BD4ECC72F7B682C3E203FEE9CED67C78B60A96B58037CA7499D4F0F86E0B33AB836F048
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............0(...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):409136
                                                                                                                                                                                                                                        Entropy (8bit):6.098204637389941
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:bPaYZ6henFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUFJFpcNcHc7cbchFFc5cbc17:p6heZBJm333M89QA+
                                                                                                                                                                                                                                        MD5:5B3639406ABB5AD7F16A90124B708862
                                                                                                                                                                                                                                        SHA1:466DB9D6BC5F2A8EB205E5F3A7F2EC8C52809597
                                                                                                                                                                                                                                        SHA-256:83717328623F05F5987DC258332BCA21C1F2858B7CE6B834AF5DA687B0948847
                                                                                                                                                                                                                                        SHA-512:F10717408E0140C8DBEFCCE9501CF03B86CECD32F2B55770879C28E21D793E45BD8B7EEED52E56E3386000A7BEEF7F0BDD05EBEFF99A44D1056512F48063F71C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3.c...........!.................+... ...@....... ....................................`.................................H+..S....@..p...............0(...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B.................+......H...........tM..........PM..J...P .......................................6K/.%.L....7.......2.x..`..P.k:k.......0\W.j...;..xX.~..HB..S@.$.m...)4..<S1...C.Y......#ku.k&..2<..i{..>....U...s.'{:.(......}....*..{....*:.(......}....*..{....*r.(......}......}......}....*..0..5........-..*~.....o.....X...v....~.......o......o .........*6..(....(....*"..(....*.0..T........~!...("...-..-.~#...*../....+...X....($...-..-.~#...*..v........(%...~.......o&...*Z.~....2..~.........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51760
                                                                                                                                                                                                                                        Entropy (8bit):6.234968936412768
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:3zpj9H0/bvvmNAkkOMo/23e3vggrkrD9Bxjpm2yuIFLlHTUpa/hDXEpYinAMxCWu:3zpjF0/t043e3vggr83jMYa/hU7HxVu
                                                                                                                                                                                                                                        MD5:BDFEF14C7A661E237F27B79E4FE950F6
                                                                                                                                                                                                                                        SHA1:83F7DC1950211EBEC2B326D0778E6A46781CF892
                                                                                                                                                                                                                                        SHA-256:689AF98555A3D5A36FE8841AD39F9196F60A6A5400A8CF41E6E0997F47E675F1
                                                                                                                                                                                                                                        SHA-512:1E698E4E1E6108524F48B6ED7720E0EE239679546FB429F415A52875C8FA0D5C0B2D8C3EE6F523D1B7E875D1FACA83B6A0EB5B62C0DAED414BDCB36FE0D5C043
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.................. ........... ..............................b&....@.................................X...O.......................0(.......... ................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........J...g..........p...0.............................................{!...*:.(".....}!...*..0..#........u......,.(#....{!....{!...o$...*.*v ..yN )UU.Z(#....{!...o%...X*....0..M........r...p......%..{!....................-.q.............-.&.+.......o&....('...*..{(...*:.(".....}(...*.0..#........u......,.(#....{(....{(...o$...*.*v ..:. )UU.Z(#....{(...o%...X*....0..M........r-..p......%..{(....................-.q.............-.&.+.......o&....('...*..{)...*..{*...*V.("...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138288
                                                                                                                                                                                                                                        Entropy (8bit):6.179921646668756
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:YP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8Ils:Yh0qjC5RMOHO420kN1X
                                                                                                                                                                                                                                        MD5:8DDC05CED2922285C9037C7D503A86AA
                                                                                                                                                                                                                                        SHA1:AD66BA39BE8639D86877B515A68EC3D7AD3E7753
                                                                                                                                                                                                                                        SHA-256:30D4499D9F96D1B081C5A8B5F9D9792900DE6767243CBEAD81F6244C33C799E0
                                                                                                                                                                                                                                        SHA-512:6B7E9AC11076C4FAEBF6F51610023BAF0F513DD0680CA2A07DA9AE5E6F6AC42EDBF8CA8F9ED210AC5F3C7D280E8ACBBDAFA4C6916ED2003B9D94693587EEF656
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................3...O.... ..0...............0(...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17968
                                                                                                                                                                                                                                        Entropy (8bit):6.676696708568243
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Th06sbbVVPWU2W+Nyb8E9VF6IYinAM+oCeBVmh:Ty9eEpYinAMxCAy
                                                                                                                                                                                                                                        MD5:2D491883E24603B382FDAD8840272070
                                                                                                                                                                                                                                        SHA1:78C442E11EA0B9ED3BBD09B19E6A18CC559CA58E
                                                                                                                                                                                                                                        SHA-256:EDF076BA91F6F5A808879D94A586D1BF78D5D0C8FDCD5399DE36FB6389301886
                                                                                                                                                                                                                                        SHA-512:0790CA5BB187AEFE4E5785C528C68E55EA4AFD642101A77A1D983599BC42AB4423723E910A0265CD9A5D3C7DFE0C9E9794DD6F6E8228B488A384647643C09C79
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ...............................w....@.................................@3..K....@..................0(...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27184
                                                                                                                                                                                                                                        Entropy (8bit):6.332801634669375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:kn1VM0JrpNWDcIh6leOiDFIFBYp1+/EpYinAMxCr/:knvXYcIh6yFIFBYpc47Hxk
                                                                                                                                                                                                                                        MD5:B62DB814A8E1C5C8F4DE32F142D7709F
                                                                                                                                                                                                                                        SHA1:DB5998A9C785E77A1152145615213EA31E06B289
                                                                                                                                                                                                                                        SHA-256:F3E5DDD22B8F044C9B45D99762F2A339077790AB049C1AAB152F70BC7127466E
                                                                                                                                                                                                                                        SHA-512:0F7DAE5AA68ED86A574F70478F99458C4A52B1913D232B20A58045EB1E49C83B9134DD90335FBCBEDEECF691EECE5A137FE06FF9F2F6B9D0607FACEA2C0D7C5B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... .............................../....@.................................dW..O....`...............B..0(..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.955263962444665
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq6L:67N1r9KGI04CCARLq6L
                                                                                                                                                                                                                                        MD5:F0A06E07C21B485434202D325B3AA058
                                                                                                                                                                                                                                        SHA1:6E4A0A572E3CA5A5B23D4633CE63300E3BB39658
                                                                                                                                                                                                                                        SHA-256:955FD5B1B046AFC9E62E2D0CA4698818FE1357EA764977D7A9B4A44C1F657169
                                                                                                                                                                                                                                        SHA-512:B398A6A66F184193CFA635D6B5DBA9ADB391782F2A82F4609ECB161A4340DC41C82F22A98FEB69F594B7DDF9FB677711BE1FBFA4D796146550E92D22DCA14D15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`............@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4019
                                                                                                                                                                                                                                        Entropy (8bit):5.254487644282179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:cXXgDOJSXg8OJogFOJDgYgOVOhVWgBNNXzHSxBNN4zPzRlXNzSPeZgg9dSjedcd7:cXQiSQpZIUH8afhbZh9A6qA4AAADjAN
                                                                                                                                                                                                                                        MD5:C14A5C63771A6F43F1569085EF42CFF9
                                                                                                                                                                                                                                        SHA1:1359A9DA3E3231B5F72DC4AF4CF3CB001B4A0334
                                                                                                                                                                                                                                        SHA-256:2CAFFCF38DAC0FD2F72663AD9DD77D507B6B4DD1C35A5344FEA84A14832979B1
                                                                                                                                                                                                                                        SHA-512:1AD10B48754F7A302B2F352883BCDFD05B2DAAEF239BA0C5D543F7C8B40A9D48CC2CBA7CFC00B53458D261A5EEF9EC8998EDF8C261BF718B7D6CD626711AC5C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 04:32:01.5023|ERROR|WindowsWindowedEventLogProvider|Error on retry number 1: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-17 04:32:02.6273|ERROR|WindowsWindowedEventLogProvider|Error on retry number 2: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-17 04:32:04.6585|ERROR|WindowsWindowedEventLogProvider|Error on retry number 3: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...2024-12-17 04:32:07.7210|ERROR|WindowsWindowedEventLogProvider|Error initializing last processed events, ignoring file, exception: System.IO.FileNotFoundException: Could not find file 'C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastWindowedEventsProcessed.json'...File name: 'C:\Progr

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite 3.x database, last written using SQLite version 3040000, file counter 20, database pages 14, cookie 0xb, schema 4, UTF-8, version-valid-for 20
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57344
                                                                                                                                                                                                                                        Entropy (8bit):1.4802613145618957
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:N5PsveM5Htzy8OO7QzyO+pbtzy8OO7QzyO+p5tzy8OO7QzyO+pE:Yq
                                                                                                                                                                                                                                        MD5:2CE8FA65CBC24CEB8C0C87A1F1F52C1B
                                                                                                                                                                                                                                        SHA1:9231127F57D4942D2A44978DADB532F241399FD0
                                                                                                                                                                                                                                        SHA-256:AF9FB18F0959ACC4BB6BBB6E877669A0ACA31C42A0DAD19E20499593792096B1
                                                                                                                                                                                                                                        SHA-512:3940DF722ADAB6B20BCD31819148F4D53A482173CCE1D1222F520922363898568699D36E34CC2FAA7B7D5883EC4C1A9D01BF959CC3E0E151C31E9E2F62D8BE1D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:SQLite format 3......@ ..........................................................................c..............Z...?.j...I.:..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:SQLite Rollback Journal
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):8720
                                                                                                                                                                                                                                        Entropy (8bit):1.8951938438809943
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:7MtWqiFu5C4OZUlFJNGdNGveXXQXN+5NG1ZS:7KWNu5C4OoNSN1eN+5NmS
                                                                                                                                                                                                                                        MD5:7B44B7EFD8C35E7F3EFF77CCB890EA7D
                                                                                                                                                                                                                                        SHA1:A1C569E7F8128F220275D018D6F1F5714E15A82E
                                                                                                                                                                                                                                        SHA-256:CF1CB48CCE9AB00DCDFFA2D3D03DAFD303281C75D8AE698CD0DBCA717F48A443
                                                                                                                                                                                                                                        SHA-512:459409846B783C27E0D23F791F1F50B660404A23ED00CB91F16813F82CD4A9B317DDF18BC52821071595C5AAF8B00D979BF5979C803744243B0BBCF1AD7E5A92
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.... .c......e.p........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1799216
                                                                                                                                                                                                                                        Entropy (8bit):6.520454988999628
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:GuvfmOhyS2RuhV0yGzcuHpRs8ulCfUk+qKuMhUwqPevJ8QNYfjmqBBLbNFEohFY9:RHmUMohVWpu8ul0UkTgNCfyo3G
                                                                                                                                                                                                                                        MD5:CBA9D50085EE939B987CF758C727DD62
                                                                                                                                                                                                                                        SHA1:DDC0FAF68995883AC754662C59C4295BB0A64E3B
                                                                                                                                                                                                                                        SHA-256:75E47A697A46E31811FAB8C5D9FE1ABA6BA095B6D13DC79A8C848BE308917C37
                                                                                                                                                                                                                                        SHA-512:A5F3D1B96535E0B523ECD71DC36FD3AF157C630874FF11DA29066C545114D256B14A5EE2BA725679C4192182D37DF6900AA69ECE228BAFCE909A482DFF43A1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............g...g...g.>.....g.>...B.g.>.....g.3.....g......g...f.^.g../....g......g......g......g.Rich..g.................PE..d.....c.........." .................n...............................................s....`.........................................`t.......e..x....`.......@..`....L..0(...p.........8...........................@...p...............`............................text...$........................... ..`.rdata..............................@..@.data...0........z..................@....pdata..`....@......................@..@.rsrc........`......................@..@.reloc...,...p......................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1475632
                                                                                                                                                                                                                                        Entropy (8bit):6.791868709546672
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:TS3uuk58wXpQous2GCzbHwGTzsIDQAKub0MBsIFBm5fi/5ATA9NTTPjXWJD8qC:6dwXpQdNVNDQubXyi60jXTW98qC
                                                                                                                                                                                                                                        MD5:3B462EFAACFAEBA904109B4FD3FE641F
                                                                                                                                                                                                                                        SHA1:6DB8785E94FDC2152895396CB9B3D3945DA5D25A
                                                                                                                                                                                                                                        SHA-256:1F9F620D4D7D32670073C335A2DC88A5A5DCFA7A5FF18E914EC6CD8EA983105F
                                                                                                                                                                                                                                        SHA-512:7295B1F7E4437729DFDAED5310EB26B5F4A8B96A2B97ADA8F8466712A69946BAADB2588071B51D661F4FD2A6029A2914E3DB73914BD2FE1C74D725F204063EF2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........?.rG^.!G^.!G^.!.._!d^.!..]!.^.!..^!.^.!.))!O^.!Y..!D^.!G^.!.^.!d.B!F^.!!.Z!F^.!!.Y!F^.!!.\!F^.!RichG^.!................PE..L...r.c...........!.........*.......:.......@............................................@.........................0B..:....5..x....................\..0(.........pB..8............................1..@............@..0............................text...p-.......................... ..`.rdata..j....@.......2..............@..@.data...tt...`...T...N..............@....rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2950466
                                                                                                                                                                                                                                        Entropy (8bit):7.998782979199986
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:xbG/HdRftau56Aie0UvSxh1NcXkFuTCjCNAbhnOYqIR83DJu51lPIq6YmtzfaQgD:c/9RfogeQqVNcrTLNkIX3DJcz7SaQov
                                                                                                                                                                                                                                        MD5:A3B618CCA61ED197743E369F5F2EC0F2
                                                                                                                                                                                                                                        SHA1:B960C72ED47514479432931852EE251BA2BB7C05
                                                                                                                                                                                                                                        SHA-256:3C1AEA4F44A249649C8B3773E29DB5F4AC940E6BBCB48990151F1879CB7370F9
                                                                                                                                                                                                                                        SHA-512:7DEEC849ABE74AA16FF54B265C00CC01C860D7B4A3F99B10ED64D7BB552991C7CC621A9857DAD5F85A9E3B00FD04D028B1599E678C6FC335FD8FC2DC807A5443
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......n.Y..7Z........6...AgentPackageOsUpdates/AgentPackageOsUpdates.Common.dll....(r......G?......;........,p..7P2r.V.\.t_@.=..-.._.R....]....a$...D......4.s.(`.A.<....O\.t~...DS....'....z...........a..xC.j..:.?.2...@.?g..@.V}.....K=g9B2....\...P.L........o....9`.Q.>V`..C&..-48....X3..X2J..oID.....mS..V...2..[..Uv.U]..lI..W.k..i.Sj.Q*.cg=.N.`.{0w.c....0...H../......V2...jA...y.D=..FiL.E....r.=Qj.h+...:.I.m.......O.......e.$.V..z..p.A. y.F..9?..q...6.m..{..q..DA...y.#0......w.{!..B-.....m..'Q4M...........g.F...<..X..+3D......r...o|.....K0...3..6.......v)............>.Q.........Xl..gCu.'./..7....`.Jr.......y..i...9.x-m.Pb.T.l.R#...ewg....L%j.6t...=.H.......^,&dX......cZ..ag....H&.R..".^....v.e.@....v.../...%9@=..~N...".._.+56....q..Z{...N%U^.d|,.K]s.@[.2.....Q..*.8.._.....~.V.+t.~....g!...p\8c.1...I...9j?.\.p.7....,d.....#..P..aN...5.].._7..5..O.......I`..s'....6..H...,..d.."(`.....&....l@.._...G.4T..Z7....o.6...u.(.a.-...h\.e.h.j6.L..O

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.376388174256496
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qpWI4FJ1CsZ1pL375SImXkmlkgGIW2W8f8Mn0DpQ8fz0m1NNyb8E9VF6IYijSJIc:UlexZT375i0qvT+b7z1pEpYi606v
                                                                                                                                                                                                                                        MD5:D8ACFFF68AB2B25E2BEBEACB8C26C594
                                                                                                                                                                                                                                        SHA1:B2B0BFD6C0B90495B0013D6F69144E1F841675F9
                                                                                                                                                                                                                                        SHA-256:DAF53A130F257E647ABFF99A883891B616C5AA6EDB8E81B1CC30F4CFDC910DD2
                                                                                                                                                                                                                                        SHA-512:E6AA3E8C054913BDF10F7998927E95F1E3F8AE67A570F648358954AF874ACF9F415BE712969C90F64B6C433FB0AE5AAACE87C780769DBC1B669FD11F79051A37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..@..........N_... ...`....... ....................................`..................................^..O....`...............J..((..........@^..8............................................ ............... ..H............text...T?... ...@.................. ..`.rsrc........`.......B..............@..@.reloc...............H..............@..B................-_......H........*..`3..........................................................:.(......}....*..0..X.........(.......o......-.....>....o......2.,..o......,..o.......{....r...p...(....o..........*.(.......$..........&...........88.......0..M.........(......-.(...+..8.o....../.,..o.......{....r{..p.......(....o....(...+....*.......................&&.%.....0..].......~......o......-.~.....o..........o.....o........{....r...p......%...%...%...%...( ...o......*....................0..O...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2006
                                                                                                                                                                                                                                        Entropy (8bit):5.012466327549389
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:327h+1/gF27RgdSagFsg+w3jdgDSg+CagFPr7:K4Mw9cr7
                                                                                                                                                                                                                                        MD5:DE33D7BC716E96683CCAEC7E3DECC54B
                                                                                                                                                                                                                                        SHA1:6CAC5E2AE17A91F55760F3652DD1D954CFE34848
                                                                                                                                                                                                                                        SHA-256:E9EC2DB29E1A7F44D6FAD976E29627E2EBCC1C9FD1797D56A69106260B70B65D
                                                                                                                                                                                                                                        SHA-512:353BF5BC4E47C7218CD3EECEE83301950FAA7D48644BEA3FE2F47B5AB432D43B466EBCF8E1A1911923EC423D30682A8FA42A3EA878E7D85C8E91EC841543B887
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):201256
                                                                                                                                                                                                                                        Entropy (8bit):5.752384757578713
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:cwfnZYi3KYU6yLRgNZiVTC5dlwuIT2tl/pRLrPd3iqiTjw7RuHM6:FPZYJXINZCg/pJLNiqiTjSRg
                                                                                                                                                                                                                                        MD5:CDE6BA86139AE458ABC24DAD31A66465
                                                                                                                                                                                                                                        SHA1:36D1DF0BF16CC0EEDEA3118EC9993A3E6B0A65A5
                                                                                                                                                                                                                                        SHA-256:0FD22D6CDCD306538D9AD6E49A2CC4C2D6CC1D413097483B526419E55DD3FE09
                                                                                                                                                                                                                                        SHA-512:F4119BCA8C17697B3070E47BA672E0CE0A6AD4A4C0D358E6EE474DA02CC560A8B8FBEC8F17085DFA602D93FEDF2B422F70C2CC4C9AE6319CA6711BF220D56F7C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Uy..........."...0.................. ........@.. .......................@............`.....................................O.......4...............((... ...... ...8............................................ ............... ..H............text...$.... ...................... ..`.rsrc...4...........................@..@.reloc....... ......................@..B........................H...........D&............................................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. K.. )UU.Z(.....{....o ...X )UU.Z(.....{....o!...X*...0..b........r...p......%..{.......%q.........-.&.+.......o"....%..{.......%q.........-.&.+.......o"....(#...*..{$...*..{%...*..{&...*..{'...*..{(...*..{)...*..(......}$.....}%.....}&......}'......}(......})...*..0...........u.......;..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1780
                                                                                                                                                                                                                                        Entropy (8bit):5.027025756159462
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3rrL7h+1/gFSagFsg+w327RgdSg+CjdgDt:7r34owoR
                                                                                                                                                                                                                                        MD5:09CDFC3063DEC485A3C48111D5CEE297
                                                                                                                                                                                                                                        SHA1:02CEFEC66B6B2EEE120F97493D438F3B270AB5CA
                                                                                                                                                                                                                                        SHA-256:0ACF70AE533AF7D079F370AB3102B9563CA4C447C5DFC7A20C88AABE04295C01
                                                                                                                                                                                                                                        SHA-512:CA39056F79EFC8CE050FCCE1AAC21B2E7B62E65A0521E3CABF90C58A7249107658C2D208706FEC456CCC74D58DCDC22E23ECBAA43684613D4826505A426E1CB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <depend

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):102440
                                                                                                                                                                                                                                        Entropy (8bit):6.190411276623129
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:xPAt6+FT+ZGodV5iYbYSWd85e+ZS5sSak42QhLks2OLv476GC:x2bYbYSWd85I5sSakFQhHLv4O
                                                                                                                                                                                                                                        MD5:7AE1430949A1C56AD042961653762263
                                                                                                                                                                                                                                        SHA1:75791D6326D7C82FDB27C680468D18C3F6B2DFF5
                                                                                                                                                                                                                                        SHA-256:38F922198A9B6557697F343C7024F542917D3098587F1FC9E9C755FFEC7D8852
                                                                                                                                                                                                                                        SHA-512:5338078891957549DFB64314ECBB798C389CBBBD6BBD258E98E4B865E6C2473AAB236078BECB742DD173A776A4A7B9A30C2936F558817CAFCFCC5C0358D9D520
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5*f.........." ..0..^...........}... ........... ...............................C....`.................................`}..O.......8............h..((..........(|............................................... ............... ..H............text....]... ...^.................. ..`.rsrc...8............`..............@..@.reloc...............f..............@..B.................}......H........s..|............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):95272
                                                                                                                                                                                                                                        Entropy (8bit):5.996467833078292
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:B4aRSNSrXS5EaKoDMsUVl0HAWMco2bJkjUB766K:B4auS7S5Ea6WMcpuUBQ
                                                                                                                                                                                                                                        MD5:DBE2521C43EAD76AA4BEB5B9C7D2F59A
                                                                                                                                                                                                                                        SHA1:792146B5EFD12DDDBADCAE9347C5919C49438E2B
                                                                                                                                                                                                                                        SHA-256:FC0AE3A42341726D460309967DC68EC1BE492F2E88011D23049478BD55119859
                                                                                                                                                                                                                                        SHA-512:1348C8D391D5EE4DD38F5F69CFFEF01F30916E3C1F184BD23F7E088C24F1C19D121080FD2DADECAE09EB8DAADB6F2690C3C53B527011A0E45CDDF73F7308CB39
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....=$..........." ..0..B..........b`... ........... ...................................`..................................`..O.......4............L..((..........h_..8............................................ ............... ..H............text...h@... ...B.................. ..`.rsrc...4............D..............@..@.reloc...............J..............@..B................A`......H.......Lh................................................................(......}......}.......}.......}........o<...}....*..{....*>.{....o.......*v.{....o...........s....(...+*...0..<........{....o.....{....#.......@(....o.....{......o........&.....*........55........{....o.....{....#.......@(....o.....{......o....*..0..$........(......`...%..".o......{.....o....*Z.(....r...po ...o....*..{....o/...r...p.(....(....o%...*6..(....o....*..{....*..{....*.s....z.s....z.s....z.s..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.655011797541533
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jXh+/DtY2PLNyby2sE9jBF6IYiYF85S35IVnxGUHFeFlW9OtuYo:jXh+tY2jNyb8E9VF6IYijSJIVxaFmIU
                                                                                                                                                                                                                                        MD5:DE0940A5587A4484D0887A9E8F9525AC
                                                                                                                                                                                                                                        SHA1:A899252BCBA0A838D0ECE4B5424F20F7D55C4E2F
                                                                                                                                                                                                                                        SHA-256:57EFC5A6135C080291943EE3E54B42992AE3CFED361DE0C4CB0880D06F70E87E
                                                                                                                                                                                                                                        SHA-512:E2B90F6B89DD9FB3D80A04D4361BCBA24AA95E6FA539D3E9A298E53E63E8AF48342DBFA56DB12FF70812B4D86FA143A1CD361DB97CAE34483E8739D0D583C560
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T............." ..0.............v,... ...@....... ..............................H.....@.................................",..O....@..(...............((...`......H+..8............................................ ............... ..H............text...|.... ...................... ..`.rsrc...(....@......................@..@.reloc.......`......................@..B................V,......H........ ..d...........................................................&...(....*6.r...p.(....*..(....*..(....*"..(....*. ....*.r-..p*..(....*"..(....*. ....*.r...p*..(....*"..(....*. .*..*.r...p*. ....*.rN..p*..(....*.BSJB............v2.0.50727......l.......#~......<...#Strings....D...$...#US.h.......#GUID...x.......#Blob...........G..........3......................................................................f.....F...........n.................M...........2...........Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):75304
                                                                                                                                                                                                                                        Entropy (8bit):6.240548247823196
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xu2lKxktXgl4icipJNz671/nVYWREDnAvk2jkbukZmyJsldySMcAn9fG1EcfgrYM:AF+qo7mDEwj4NXLGcfgruFcaD76j6G
                                                                                                                                                                                                                                        MD5:EA66884148B982C181938D224D2864BF
                                                                                                                                                                                                                                        SHA1:3F10A7B2D40028814C9CEE4F1B968D35615FEBE4
                                                                                                                                                                                                                                        SHA-256:A66431B4751E904E6534C70A214DF47CFB6F277A638DC273578B21E4AFF30F97
                                                                                                                                                                                                                                        SHA-512:D6A7FB617F369A9775804585680DECF859588E216A7084ACBEF19CAEC62C32CBEF5427E56FDED786B4F1D8C5531BE1B48CCB6941EE2AB7CBD9FCD1B2CA6D656D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....6............" ..0.............F.... ... ....... .......................`............`.....................................O.... ..................((...@..........T............................................ ............... ..H............text...L.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B................%.......H.......t<..`.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*...0...........(.....(.....o....(....*.0...........(.....(.....o....(...+*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.406947621251296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:0QMnMYnUFMSptE7C+t2RO3neZN8752vwzE8Kku6ZFMLcyXXEpYi606:09MYn1seLE8JFMLcyXQ763
                                                                                                                                                                                                                                        MD5:44572E361C8A5D83D3F88FBF26678CB6
                                                                                                                                                                                                                                        SHA1:F675826057A670E24787C1AF8FD1DDE7095512FE
                                                                                                                                                                                                                                        SHA-256:8FA8A85424521011BEFF1A943D6B43DBF4C1919F64059ABBAD713959AA1CBF78
                                                                                                                                                                                                                                        SHA-512:F1F6F2C953BBD277042FD20665F9F0D10C0FF8BDB3E126436CEFC7D5B425171DDF52F671E38F901622056DFD5E2E49D455963C1687EBA63C3ED30FF2FFFD3F7D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.............r.... ........... ....................................`.....................................O.......4...............((..........4...T............................................ ............... ..H............text...x.... ...................... ..`.rsrc...4...........................@..@.reloc..............................@..B................R.......H.......XE...q...........................................................0..........(.....o.....s........s............io........,...o.......jo....s....&.o.....O.........io ...&..i.X.O..........i(!.....i(".......(!....(#...*.........*.......0.._........($....s.......(%........i.Yo.....O......jo......s&.......io ...&(........io'.......,..o......*.........FS........((...*2.~....(....*....0...........()...,.r...ps*...z.()...,.r...ps*...z.....~....s+....s,.......o-....[o....o/...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.203459095547969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:DRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhS:d9XeDmzV2yzlhKLFU1lLVp1+2flYFnQ7
                                                                                                                                                                                                                                        MD5:93E80E2402F809533066A5CFAB1A036D
                                                                                                                                                                                                                                        SHA1:E687A74691A96C38AF2C002ED084EA3989EE62F1
                                                                                                                                                                                                                                        SHA-256:34EC376EADB8E017FABE9DBEA7044BFC09C2CC6DB606DB8B92CEFD4A2128FD05
                                                                                                                                                                                                                                        SHA-512:01BC86EF55526457AF49526E9C85EA140C4E053A5463C3293109F14780DE37DA4929D3727407243DC1101CEC03F402D219F0E088BF21B194FB327340A7075710
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Antivirus:
                                                                                                                                                                                                                                        • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ...................................`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96296
                                                                                                                                                                                                                                        Entropy (8bit):5.633445559193163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:N2kKfq2RQuKDMOoytxL2L4zP+YuqL2zL7SAaDx4lbOw6OhkW76fJE:eQmyxL2L4D+YZL2X7SAaqywjhkWeE
                                                                                                                                                                                                                                        MD5:C761AE0EFFEBBC19712FF0AFA47CE0DE
                                                                                                                                                                                                                                        SHA1:97F433BEF7A8B99A9AA7AE9FDB3AD6EB1D106390
                                                                                                                                                                                                                                        SHA-256:12827A7383B15852EE8FF708877362C8BF576F44FDAE4E6FF9A9B1690D683328
                                                                                                                                                                                                                                        SHA-512:707BFB532BA8F997F5D2469ED11028666AF64044D179C083C71A14FE8A54E9368C6D69882D1E512CDC44EC792761D0CFD4EE5152B010F691F5E493FC0BB6C36E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....W...........!..... ... .......7... ...@....@.. ..............................d'....@.................................47..W....@..p............P..((...`....................................................... ............... ..H............text........ ... .................. ..`.rsrc...p....@.......0..............@..@.reloc.......`.......@..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):386600
                                                                                                                                                                                                                                        Entropy (8bit):6.135834446764712
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9sETsbZnV4Nsaw8MkaybNq0qJh1rDHq4so8maLvdGCBg/8Q/ZmvEyk:9sbZnMfwWFKFrrWa8BvEyk
                                                                                                                                                                                                                                        MD5:CEC5B94BA8647554464BB8E6923BCEE9
                                                                                                                                                                                                                                        SHA1:4CF191F4477CF7B82ACC4405DE4CB558AEA668B1
                                                                                                                                                                                                                                        SHA-256:624AA1E6343CE9310389307B612D40EEBD6B04E24123E4190D1DACF521FC11A3
                                                                                                                                                                                                                                        SHA-512:1061BFA98B472B6999420B77728084C1281872687AE90687C01F3077FEB2272BC42153592D72D6B8D618C70C7D0240D9558B5D6EBAF838EF05BBEA67FC0FF18E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... ....................... ...........`.....................................O.......@...............((..............8............................................ ............... ..H............text...0.... ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B........................H.......T...$...................x.........................................{0...*..{1...*..{2...*..{3...*..(4.....}0.....}1.....}2......}3...*....0..q........u........d.,_(5....{0....{0...o6...,G(7....{1....{1...o8...,/(9....{2....{2...o:...,.(;....{3....{3...o<...*.*.*....0..b....... ...u )UU.Z(5....{0...o=...X )UU.Z(7....{1...o>...X )UU.Z(9....{2...o?...X )UU.Z(;....{3...o@...X*...0...........r...p......%..{0......%q.........-.&.+.......oA....%..{1......%q.........-.&.+.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.835638359040336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZN9VWhX3WseNyb8E9VF6IYijSJIVxF5WBL0:rGZmEpYi60C0
                                                                                                                                                                                                                                        MD5:9FB340DC924069CCBDB4A53109680505
                                                                                                                                                                                                                                        SHA1:1F5F1A7A81991852931399A0E11458C8F1B86627
                                                                                                                                                                                                                                        SHA-256:4A53EBD4A61DCA9EB0F46625701BF9C1720A2AA4BE23EA1BFFEB9CC0D24334A9
                                                                                                                                                                                                                                        SHA-512:9BF44EF2319E0C3C50803EEE5066852323C931864C1241E77AC5A0ADA18D70B5C7734776C085C7D7D265771F81DE324F2332D91DE67AADEB858628AC2227C2F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............(... ...@....... ...............................Y....@.................................T(..O....@..0...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l...|...#~......<...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168725098420968
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:sBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTF:sDMUWITZznu85k8Wdn8KmCjIFi3Vv5
                                                                                                                                                                                                                                        MD5:6F8BEC6FACB3F7CCB38397B08590A196
                                                                                                                                                                                                                                        SHA1:1EA9953A3876025FC40EC7F58F6EB5ECB469951C
                                                                                                                                                                                                                                        SHA-256:8A14F59A3E963DBCAAF23706C91F02A390D68425FD160745174FB847FE750BE1
                                                                                                                                                                                                                                        SHA-512:4CE87BCB73E960626A553FD3E162E23B3C054E46740DAF198898ED79C4B3FC6720AC1CA1E8AB3CFBB3D43F1036AE4331B9069730A9B165DD2BC2C87A014E47B1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@.......>....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):883752
                                                                                                                                                                                                                                        Entropy (8bit):6.071468980672946
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:h1n1p9LdRN39aQLU0NnWSo7NReIGeFTiQaMcK2VJNUR10+xMhCJqtgsxUsQ/:h1n1p9LdRN39aQZUqm
                                                                                                                                                                                                                                        MD5:29DCD9B065CFB49C8E52C930F7F4CE09
                                                                                                                                                                                                                                        SHA1:768CCADA86D84899E458221931EF08DFFF18D4DD
                                                                                                                                                                                                                                        SHA-256:1B6A5C03895D4722AE6A575B45564BAC1F6B7C63A8B3317CDA7048F868BBE8BD
                                                                                                                                                                                                                                        SHA-512:2C620A2E6003DCF311F40C8CA4AADBEFD572E1A20C7ED323AE738C9C23F20267F66DB0CA61A9796F45198C137404468A71EC7D7DE0F5A947B8B0BF0A6159C439
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..F..........:d... ........... ....................................`..................................c..O....................T..((.......... c..T............................................ ............... ..H............text....D... ...F.................. ..`.rsrc................H..............@..@.reloc...............R..............@..B.................d......H........%...2...........W.......b......................................"..(....*..(....*"..(....*..(....*..(....*..(....*.(....*"..(....*...0..B.......~..........(b...~....,.~.....oc......+...(......od......,..(e....*........../7......"..(....*6.(.....(....*..0..........(.......of...&.*.(....og...*2(.....oc...*....0..?.......~..........(b...~....,.~.....oc...+...(.....oh...&...,..(e....*.........,4.......0..?.......~..........(b...~....,.~....oi......+...(....oj......,..(e..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960227950500775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:YBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUJ+t:YBA/ZTvQD0XY0AJBSjRlXP36RMGvt
                                                                                                                                                                                                                                        MD5:9793A92CB1C1C940989601DEE0F0DBCF
                                                                                                                                                                                                                                        SHA1:958BA5FC0E03CCB502566A66C41F8AD5E38890D9
                                                                                                                                                                                                                                        SHA-256:B9E1C3B969F7D54FA8830E83AA3B5A53B8016D3F69CCDEF55BA730ACBE63E844
                                                                                                                                                                                                                                        SHA-512:0BF96E24288878A5A8554CE7FEB8988CB9CC9447E7734CA0AC44B973F0A49B54C4AC254743AE2FEE31AB7C8B4C21952AC1E3AACE43063D54C80A7DD174BEC3E3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......g<....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):285736
                                                                                                                                                                                                                                        Entropy (8bit):6.18456718086945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:DZAWDkTmokB1QI3A5XeedC1OcQykFlE1WhOMiSdNrgClZ73HpsP+zvH:DZU0BJwuOcrl1w7HX3HWi
                                                                                                                                                                                                                                        MD5:2D9C14E9D5F1DD0D6F4561AFE4EFB117
                                                                                                                                                                                                                                        SHA1:C35DE5E2080905AC3E1E488A7438D97D1DBAB813
                                                                                                                                                                                                                                        SHA-256:92C283F20DFE5948DF55FE662EFFCAE4C29796EA30619EA5680565D7ACD232DE
                                                                                                                                                                                                                                        SHA-512:FF68BA66200A352E2A342C4302C863C08D19BF697A3AFF12104C396F17BE19720E9EFA2CF6ECB639FCAD24E96429AB2269AFE3962C76CE781F14526B08DD13E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....&............" ..0..*..........&H... ...`....... ...............................9....`..................................G..O....`..L............4..((...........G..T............................................ ............... ..H............text...,(... ...*.................. ..`.rsrc...L....`.......,..............@..@.reloc...............2..............@..B.................H......H....... d..t....................F......................................^.{....,.(F...z..}.....*^.{....,.(F...z..}.....*"..(K...*"..(L...*...0..,.......s.......}............s9...sv....{.....(....*.0..-.......s.......}............s9....s.....{.....(....*....0..(.......s.......}............s9.....{.....(....*.0..'.......s.......}............s9...sv.....(....*B...s......(....*......(....*.0..'.......s.......}............s9...sv.....(....*F...s.......(....*....0..X.........(:...}

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.559882733809932
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3AQk7qYbA6fXDpLk5LHAxOEaGxBtNXNyb8E9VF6IYijSJIVxstR:k1LOg3BtNbEpYi60C
                                                                                                                                                                                                                                        MD5:DCFD01239E8A7F23790A7101DA676EF0
                                                                                                                                                                                                                                        SHA1:DD4634C7D293365B988B94E90A6D3D5870C1B943
                                                                                                                                                                                                                                        SHA-256:276C6EF4FAB5412DD3CD67B02D109F1F17CD095EF76A759E57CBFD90721558CC
                                                                                                                                                                                                                                        SHA-512:E77FBB7077283EBE3E1438A7EB318EF377EA13009898C486035A0A453A9ECB56E93728E91983A848B12D1D2FAC38581DFB08E424831A7F6A6FBAB305EC4CF891
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..............."...0..2...........Q... ...`....@.. ....................................`..................................Q..O....`...............<..((...........P..8............................................ ............... ..H............text....1... ...2.................. ..`.rsrc........`.......4..............@..@.reloc...............:..............@..B.................Q......H........*.. &...........................................................0..:.......~....s....(.....(.~....r...p.o....r...p.o....(....o......*.............(......(....*.s.........*.0...........(.....(....o....r...p(....}......}.....s....}......{....s....}......{....s....}......{....s....}.....s....}.....(...+.~....%-.&~..........s....%............s....(.....{....s ...}......{....s!...}......{.....{....s....}....*.0...........(....,..(....*.{.... ....rU..pr...p.o"...u(.....(#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2029
                                                                                                                                                                                                                                        Entropy (8bit):4.997010915207503
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3Aruz7h+1/gF27RgdSagFsg+w3jdgDSg+CagFt:wruv4Mw9y
                                                                                                                                                                                                                                        MD5:A1DB8C019769BA7256F40E580304C782
                                                                                                                                                                                                                                        SHA1:6C0D70EE9CEBFC288A88B100F59D5554F8C42A35
                                                                                                                                                                                                                                        SHA-256:FC68DEF71CD783C53B3D106317F879E544E3443A55AF195BDD6C663F8051A96F
                                                                                                                                                                                                                                        SHA-512:795C141D06E70CD0D91ACFFE74F519EDB78382588B10927D456D20AA70D10BADCF02A626B8B666B00B21CAFCD555F03029D16EFAABCF1D762D58AA8095B6527D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5.2" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependent

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):210984
                                                                                                                                                                                                                                        Entropy (8bit):5.347926641317825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:asMNkrE4AOS3ncIzkq2ijc3Y28MNwH5Z54a7w:vMNkrE4AOqcIzQijLW
                                                                                                                                                                                                                                        MD5:D62F66067037F0A886F49623432A910C
                                                                                                                                                                                                                                        SHA1:1B004247986129E223012CD0EB4102EC09261EF1
                                                                                                                                                                                                                                        SHA-256:EC905D40CCA16B8541361CE8B46AED84696D7AC058B24CAFA05C537D122D6C20
                                                                                                                                                                                                                                        SHA-512:CD041171004B2D4CDB5C9F403EA7A1ECEE251386C8D558A8DE9D8D3DCFC5A0E91F4756DE3BEE113E50DC3D72434A8BF0E2427A92EB3E7E54DF60A7934C5BD375
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z............"...0..............;... ...@....@.. .......................`............`..................................;..O....@..@...............((...@.......:..8............................................ ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......@......................@..B.................;......H.......H$...............................................................0..;.......~....s.....(.....(.~....r...p.o....r...p.o....(....o......*............(......(....*.s.........*.0..x........(......}.....(.....s....}.....s....}....(...+.~....%-.&~..........s....%............s....(.....{....s.......s....}....*.0..5.......(....--(....o......(.......(....+. ....( ....{....,.*....0..I.........i....*..{.......o!.....{.....o...+.. ..{....r!..p.o....(#...o.......*.*............'..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19433
                                                                                                                                                                                                                                        Entropy (8bit):4.9963400212242055
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:hrg4CdkumUwfGReGWeGFuGgeKCUDuTeHOTu0U5e3eTOaUmS0SXStuKhubUfSJeZY:hrPOPUDCTHffIz
                                                                                                                                                                                                                                        MD5:78AE9CC6C7B11BAC2B18E82FC7623CDB
                                                                                                                                                                                                                                        SHA1:8314E6F35448B820C7C703FC3E4DE598D2A51AEC
                                                                                                                                                                                                                                        SHA-256:D3841AA3440CDA26776DDE128157294E69A70B21344D5877D640C457353C2DCB
                                                                                                                                                                                                                                        SHA-512:CE6A750E75090487C47095B80D47F5AD0C3D3DE4D6EC58A01E14CC694600FEF951AE371DD2A1B82C756ADD66825611B13240DDD3AAE6339ED85DBD3392DED7E5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Microsoft.ApplicationInsights" publicKeyToken="31bf3856ad364e35" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.22.0.997" newVersion="2.22.0.997" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="System.Numerics.Vectors" pub

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):284200
                                                                                                                                                                                                                                        Entropy (8bit):6.116883944959782
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:9ZgOtIGgeCEwNN4uaNZLVJ8ViVvW18KHxmeWntxX4xHh:Pgo0WPVTXgB
                                                                                                                                                                                                                                        MD5:B3A083FF4CBA132ED396B4065F8DB23A
                                                                                                                                                                                                                                        SHA1:8419F4EAE5F93791B80B978442F38821840049E5
                                                                                                                                                                                                                                        SHA-256:ED7D1084B55D98E76DC0D179ABDB9E709E9F0620B7E2DD9BE0642087F2238A9D
                                                                                                                                                                                                                                        SHA-512:AA05ACCCB10FDC132C124AC97FA85FED063065E26EA019A3914C778094BD361197D9949D3ABCCAE9A106B857C22838BFC6D4DC493698A3C9BD061C38417D0500
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....7..........." ..0..$...........C... ...`....... ..............................e.....`..................................B..O....`..D...............((...........A..T............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...D....`.......&..............@..@.reloc...............,..............@..B.................B......H.......X~..x.............................................................o...+*..o...+*..(....*n.-..r...p.r...p(<...s=...z*...(.....o>...-.r...p.r)..p(<....s?...z*.0..9..........o@......+$..........(A....oB...(...+,...+...X....i2..*..(D...*....0..n.......sE.....oF......+A.......(...+,/..oG....,.rc..p..oH....oI...(J...sK...z...oL.....X....i2..oM............oN....*..(D...*...0..E........oO....+..oP......oQ......8...,......o....-....,..o.........8.....*.*...........'.......V.-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.80745185498431
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:sDNxWQFWsoNyb8E9VF6IYijSJIVx5+zULOj:sDNVLAEpYi603L6
                                                                                                                                                                                                                                        MD5:5EA678C775885C4D41D2B8085D6C1329
                                                                                                                                                                                                                                        SHA1:DDEE62213D83D36761CD4753C817B7F532C90FDB
                                                                                                                                                                                                                                        SHA-256:511AFD4967D12F4BC7C372E06805CA25F10EA8C150485A4AAC7EEF34AD96FFEE
                                                                                                                                                                                                                                        SHA-512:A9E2AD6546E116B7F5251219B1490309E2DBC4A85609DC3F4F6CD3A74A0810E7D3C139435F3ADF4852C5154B30850ACF3F968176FCEBB7F98B4953EE9C42781E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0.............f(... ...@....... ....................................@..................................(..O....@..................((...`.......&............................................... ............... ..H............text...l.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................H(......H.......P ......................\&......................................BSJB............v4.0.30319......l...|...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.67025116344336
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxACSA0:8rMcXP64LEpYi60x0
                                                                                                                                                                                                                                        MD5:5448F30F77E8AC70F71ADE83B18472C4
                                                                                                                                                                                                                                        SHA1:5D9FAD6ED586ED5C4CB5A2A97742A318338D9643
                                                                                                                                                                                                                                        SHA-256:B686492BF626005C95E06D535F2EC57C5ECD4ABB57039148223B4C4BB58857C9
                                                                                                                                                                                                                                        SHA-512:FB99BE04C6D4A2717C9779E616064656D52EBB007F1BF590894E4A54D1DFEE483A659416CFDB9F2F4A57E93F66C0793690DEBD63181BDEB0FDF8B4DD44D39BD9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................]G....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.903910775953741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Cm2igOWnW8rW/tNyb8E9VF6IYijSJIVxPT89oZ:qtaJEpYi60w9k
                                                                                                                                                                                                                                        MD5:73960FEC696D77048AD18D7A7E17E3D2
                                                                                                                                                                                                                                        SHA1:4B48B936F15CB825801C0A0D610C72C932BC03FF
                                                                                                                                                                                                                                        SHA-256:C07895B715613D99E0C06C8B6EA878583449B63D79FC70C6EA18A433CD97CE74
                                                                                                                                                                                                                                        SHA-512:D248679A2DC44E1958007999CCBCE907EF5191534821C2E4FE65F75E2DC2794B87CA8978FF3EAE89504193A72DBE9099E2B4FD7A799216729CA12FAD3EFAF13B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ..............................2.....@.................................t)..O....@..D...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...D....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3................................................n.o.....o.....\...........8...3.8...P.8.....8.....8.....8.....8.....8.....1.....8.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.9013060612731305
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Anapn1iwwPWcGWT5JNyb8E9VF6IYijSJIVxagmKfFx:LDur5NEpYi600Mj
                                                                                                                                                                                                                                        MD5:D9B7F97B00C1019C0A658A8FD61D23AB
                                                                                                                                                                                                                                        SHA1:7436FD8F1295B94C9D4CACC0CD749214C5EFF9F7
                                                                                                                                                                                                                                        SHA-256:B0277FDF71A7A354DB40AE7B893935B1F1125D07A669EBA161402C1840D8760A
                                                                                                                                                                                                                                        SHA-512:253F0D268C6665B2B4FC10B4B69A02C0D09AFCBDC77261903D44F0BCF8084715977A4A955B8DB1FD0C465619ADC6491D377E9A4A718DEE21FA46CDF133BC3215
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...............................4....@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..t.......#Strings....<.......#US.@.......#GUID...P.......#Blob......................3................................................F.o.....o.....\...........,.....,...(.,.....,...f.,.....,.....,.....,.....%.....,.................V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.905254064531646
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2HLaEav5aaUa6arWVLWrMNyb8E9VF6IYijSJIVxg3wh:fPv5t/NOOMEpYi608o
                                                                                                                                                                                                                                        MD5:86DE589411D424DEAA6D93BA307F47D9
                                                                                                                                                                                                                                        SHA1:72F0DABE9E80E99FE6790038DB65B7A0F72BED79
                                                                                                                                                                                                                                        SHA-256:E598151F3E78C3FFC0BA5545EB5940958647E8BF602E63ECF827215847FEAA93
                                                                                                                                                                                                                                        SHA-512:DAED170855C06AF14E8051F41E6A4ED75476F573FCE0D45119DCB74209E5A9092DB4BE7FBCA63CAEADBA835E79C420C6E1F942F608CC55A07DF85C6B9D823E34
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............)... ...@....... ...............................!....@..................................)..O....@..P...............((...`......P(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................`.....`...t.M.................................=.....V.................q.....Z...................G.....G.....G...).G...1.G...9.G...A.G...I.G...Q.G...Y.G...a.G...i.G...q.G.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.761212536405013
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:o6iIJq56dOuWSKeWukNyb8E9VF6IYijSJIVxHDRxQpgu:yiAuEEpYi609mz
                                                                                                                                                                                                                                        MD5:45B171668A91DE91B8D8A967BDED3496
                                                                                                                                                                                                                                        SHA1:DC3CD286C8F6DBFC029D51B25D956751CA389702
                                                                                                                                                                                                                                        SHA-256:D37F94141FE5571E05C030DD509EADCA179262C73858301433CD7D503CBE8E83
                                                                                                                                                                                                                                        SHA-512:21D79E9D2DC5CB67D8ECDBB07181C7089C44CF050EEBA59923CFDC2615FA0AD86B2393DD4A32E94CC8ED3C2D84A54B646AB19753B433C4E8054E182398C89388
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...?..Y.........." ..0..............*... ...@....... ...................................@..................................*..O....@..................((...`......L)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..|....................(......................................BSJB............v4.0.30319......l.......#~..|.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3................................................k.~.....~.....k...........*...0.*...M.*.....*.....*.....*.....*.....*.....#.....*.....x...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.812043678321715
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:6nzz+MpSaLWW0+WCANyb8E9VF6IYijSJIVx1JGol:cpui4EpYi6071
                                                                                                                                                                                                                                        MD5:375A112E4A1B5F4267B87BFDA94DEC93
                                                                                                                                                                                                                                        SHA1:90CFAD6CB9D87089D904ACFCD06C2D2EFA531BD9
                                                                                                                                                                                                                                        SHA-256:7F6657438DF669688C5A9992E0F08CBC724D560FD551C72208EA45853F0F27D2
                                                                                                                                                                                                                                        SHA-512:AA66316049E361456FECEF59BE755D9B827EC3620A9B131B8E186264EFA824A878071E90DC7C0D7AFDC4E3D75E113A97777BFABBE534F26702D4668E262E38FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............B*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$*......H.......P ......................8(......................................BSJB............v4.0.30319......l.......#~..t...@...#Strings............#US.........#GUID....... ...#Blob......................3............................................................V...........j.................i...........8.................S.....<...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.859299181620408
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:aaGhr+YUfyHxsW/HW5zNyb8E9VF6IYijSJIVxVUCn3:qkmcvEpYi60p3
                                                                                                                                                                                                                                        MD5:B5A8331889DCD73D358F868F5010A716
                                                                                                                                                                                                                                        SHA1:BBFA855EFC2C8773B25531AB9BB9FE0524E244E0
                                                                                                                                                                                                                                        SHA-256:D28856D3150D49263D128FE64C01837C75AEE8994EA8AB2B2E98B8DE6CD0608D
                                                                                                                                                                                                                                        SHA-512:B5DBE05967C4CB8971A7431C6943ADAAAA8292314316B6462D44098BA7A02E23C7E382861023E1FEF30298D956A7382CDCCA74C4A69677D7FB70111CBCF6DFCC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............+... ...@....... ....................................@.................................<+..O....@..`...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................p+......H.......P ..4....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................................Y.]...{.]...6.J...}.....r........... .............................................................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.788309691299651
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:dRE+ruiA5vzWeNWdSNyb8E9VF6IYijSJIVx4X9bS:dS9b2yEpYi60Yw
                                                                                                                                                                                                                                        MD5:42128F9EF34A6A9C41BC3714F2420AE9
                                                                                                                                                                                                                                        SHA1:2A8B7590921D91998A9848E679A87A4966A22CBB
                                                                                                                                                                                                                                        SHA-256:AC30A3D9A14A3FEC5C77D26ABEE4AB5A01F0294ED37B10EB5AFEF7BDE35F4D10
                                                                                                                                                                                                                                        SHA-512:4A563AB4FFD79539BE42D670448699353E55F6179B64C487AB4726F6DA7B60419594C8EA2DEFCC9133D398A61FD60968D2992C9449CE0CEC522F80A876342BAB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0............../... ...@....... ....................................@................................../..O....@..p...............((...`......T................................................ ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................./......H.......P .......................-......................................BSJB............v4.0.30319......l.......#~......@...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3................................;.....Y.........8...........<...........P.......................X.....q.....g................."...................I.....I.....I...).I...1.I...9.I...A.I...I.I...Q.I...Y.I...a.I...i.I...q.I.......................#.....+.....3.....;.%...C.@...K.`...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.846804915804514
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:UT+6ywnVvW0LW5SNyb8E9VF6IYijSJIVxcLhE:U998yEpYi60z
                                                                                                                                                                                                                                        MD5:3FA1361360EEAFD4AA600D782C5B95FB
                                                                                                                                                                                                                                        SHA1:807E972A8BDD373A6775BD51C6E2707700656262
                                                                                                                                                                                                                                        SHA-256:19C32753A9AD183D97039C7600F261A049FF05D33F285D114D00A7D2F254D7A3
                                                                                                                                                                                                                                        SHA-512:D0228F30D6E4E7D6C55715EB3B595FF5272C94B77A367BFEA2B20375A937690D1B473E3641107D573DD5563A0CAD91097ADBD104E8D6ED5953AB683092BF4554
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................(..O....@..................((...`......|'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...h...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....7.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.848936370515642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:QRbzriaXT+WlEWe5Nyb8E9VF6IYijSJIVxri+tlI7u2:W7icodEpYi60u872
                                                                                                                                                                                                                                        MD5:D4623C9E4AB0B90AD818A5138809851E
                                                                                                                                                                                                                                        SHA1:83F1FA87D111CC2546BC697BFC54DB102A0F1FC3
                                                                                                                                                                                                                                        SHA-256:415EC56DB96E1C881D0A625D8D5BD8443F32F746B879F3A4112477AD6F877569
                                                                                                                                                                                                                                        SHA-512:0C8FA761E6F84CC0BC334682840B6D19A7F868901B678E79FCA2F49616E1BD75BA9FEFCC6D62BA0F39CE65E91A73E2392DB121F6499E01B5E54E3FBD831FABA9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............6)... ...@....... .............................._.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...<.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ......................,'......................................BSJB............v4.0.30319......l.......#~..H...x...#Strings............#US.........#GUID...........#Blob......................3......................................................k.....?.....$.....S.................R...........!.....j...........<.....%...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):148520
                                                                                                                                                                                                                                        Entropy (8bit):5.418030897059376
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:AdYO+3m9R6e1x03BZ6bDSzZ8B0uAP+CSR:y+2jv1x0ebezWiup
                                                                                                                                                                                                                                        MD5:C30F65C0031BF764B2DDAC10CD631AA4
                                                                                                                                                                                                                                        SHA1:3B2C305596D50E79FFBB879277AB8C821F888574
                                                                                                                                                                                                                                        SHA-256:CEF99EA049507B57C9AB0D99EEF234CD868B79AD8B36A569ED95A0DD95468938
                                                                                                                                                                                                                                        SHA-512:639AF84758EFFF76228D28B81BF3AA87E29A9A44481EB2CED28B159AD0CDCBB0C7B4D9EE8358287E29F89B5E96AE910A06221AE6DC013D7CB6C7C3C65B679FB9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............,... ...@....... ...............................*....@..................................,..O....@..................((...`.......+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H........A...............?..h...t+......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r;..p.(....*2ro..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rK..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2rM..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.809826405533208
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:jzNnzx7FWjYW5mPVNyby2sE9jBF6IYiYF85S35IVnxGUHF8oymi9LJxz:/RtRWjYWw9Nyb8E9VF6IYijSJIVxIhxz
                                                                                                                                                                                                                                        MD5:03632BEE2A8C4399C7A6638E77B7BDF5
                                                                                                                                                                                                                                        SHA1:29D83EED2A94F58D7B9D5D9993E305111B3F9458
                                                                                                                                                                                                                                        SHA-256:B4326EDB65AF72D07E07BEFCCE899F940AC28F2AA3E0B83130722A263B8F7376
                                                                                                                                                                                                                                        SHA-512:B1408BE605FDA4B7FFF8E911C01AB0BCC60E084B9C99D366388A13875B1F080FC3812205DA14A24A6E777EFC83EA19832CBB85E38BF6CBA40E28CFFE049EC8BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................%.....@.................................x*..O....@..@...............((...`......@)............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................*......H.......P ..p....................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings....H.......#US.L.......#GUID...\.......#Blob......................3..................................................-.....-.........M...........[.................'.....@.................[.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8927438121416635
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:peWnoW7zNyb8E9VF6IYijSJIVxG1+MsaR:pnJvEpYi601MJ
                                                                                                                                                                                                                                        MD5:F37DE5A355ED1ABC75C046F27BC2F4B1
                                                                                                                                                                                                                                        SHA1:C972C7CBC306499908E10E2482D862871D8C716B
                                                                                                                                                                                                                                        SHA-256:CCA3B1E53F1423D56CDED1D310B473989C38E342F6345B46E96409CAAA647740
                                                                                                                                                                                                                                        SHA-512:4A023C1226026B26C9FCD701BDFE2E1672D43B513D4E0F5602B71CB0C96C305F8B46AD8A28C33694890FB0AC4F753D460841B04549A4B39FEE4CB3C17838C03F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ..............................zH....@.................................X)..O....@..$...............((...`...... (............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................)......H.......P ..P....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings....,.......#US.0.......#GUID...@.......#Blob......................3......................................K.........]...........d.............o...".o...?.o.....o...}.o.....o.....o.....o.....h...-.o.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):99368
                                                                                                                                                                                                                                        Entropy (8bit):6.236464835220594
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:qgDoXrtUaK/XIg+rZAXj8s9HaWt9LuOw9VHHV55aTwWbaD7633My:9itRK/XIgIZAXjD96WfLtGdM5baDw
                                                                                                                                                                                                                                        MD5:0A8B3D6653A19A29D8C8F2A5A50386D7
                                                                                                                                                                                                                                        SHA1:86380F961B9328B5FFC631BDD71A391A5864D35D
                                                                                                                                                                                                                                        SHA-256:8D99AF407453D0A0C9866C3354853973DAE96E2F57809EBB80420CF024B4CD7F
                                                                                                                                                                                                                                        SHA-512:D4E8F91BB41874F19F91A39BC6C2E0EEFFE4459502E9A1C96149F96B0D8E6D28E176C589BDB70EEE8A3993A0D14AF4047519616448B9B43C1394276C6F331B9F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...v.#..........." ..0..R...........o... ........... ..............................n.....`..................................o..O....................\..((...........n..T............................................ ............... ..H............text....P... ...R.................. ..`.rsrc................T..............@..@.reloc...............Z..............@..B.................o......H.......4................e.. ....n........................................{'...*:.((.....}'...*..0..#........u......,.()....{'....{'...o*...*.*v ..yN )UU.Z()....{'...o+...X*....0..:........r...p......%..{'......%q.........-.&.+.......o,....(-...*..{....*:.((.....}....*....0..#........u......,.()....{.....{....o*...*.*v ..:. )UU.Z()....{....o+...X*....0..:........r-..p......%..{.......%q.........-.&.+.......o,....(-...*..{/...*..{0...*V.((.....}/.....}0...*.0..;........u......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.FileVersionInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.853023049206083
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:E6oWJjWN3Nyb8E9VF6IYijSJIVxukXvjY:E6vk7EpYi60h7Y
                                                                                                                                                                                                                                        MD5:A906375106043CAEFDE3976F6C8AB9D4
                                                                                                                                                                                                                                        SHA1:6204B5F51841B7AE4495A51FACD85F297FF97C10
                                                                                                                                                                                                                                        SHA-256:37F3C382C8AB3940133B5ABA569EE4AB19FEB812A84DC6FB375E5C73DD5793EF
                                                                                                                                                                                                                                        SHA-512:5F2901F3CE2F8AA40236C5830544A18D32FB92DFBDE51D43531F966F46E61597A31CB59C3434DDB01D10D5F715DD74923A174A51C9BBC86E227D3F18778BAD1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@.................................H(..O....@..p...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc...p....@......................@..@.reloc.......`......................@..B................|(......H.......P ..@....................&......................................BSJB............v4.0.30319......l...|...#~......(...#Strings............#US.........#GUID...$.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.$...C.?...K._...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777238182826117
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yqk53/hW3fZ+zWqyNyb8E9VF6IYijSJIVxjYCFe:yqk53MmSEpYi600ke
                                                                                                                                                                                                                                        MD5:CEA95C8FE05E4AC7F101EEE6F3DA67E9
                                                                                                                                                                                                                                        SHA1:75388B7B7EC97F278AE11AB1B9143A8F47D2148E
                                                                                                                                                                                                                                        SHA-256:0942BC5F9434099E8AEF7C512589990F553E58F4CBF4C603ECA1DBD68A44A805
                                                                                                                                                                                                                                        SHA-512:5B2E070E6CDEF67712D04F9FED6232E1BACC9FCBEEDEAAF8422A107DCC53AFA74D3446AA70901792034673F3ED61E8EA85135A95779B225500289376817893E2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............**... ...@....... ..............................e.....@..................................)..O....@..0...............((...`.......(............................................... ............... ..H............text...0.... ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................*......H.......P ...................... (......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................j.q.........~.................}.....3.....L.................g.....P...................k.....k.....k...).k...1.k...9.k...A.k...I.k...Q.k...Y.k...a.k...i.k...q.k.......................#.....+.....3.....;.....C.7...K.W...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.660095127054316
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:kFCc4Y4OJWfOWqWWOW7yNyb8E9VF6IYijSJIVxwO0taA:wCcyCrSEpYi60A7
                                                                                                                                                                                                                                        MD5:614FD8917DDAAAE2CBF088758C73914B
                                                                                                                                                                                                                                        SHA1:C379035B13A5D070B4A943EBB8BB01EE543674C7
                                                                                                                                                                                                                                        SHA-256:EDD5EA3BF48C308839100BF8E3FECD0ABD0946D6A0DEC23AF945C613AA06743A
                                                                                                                                                                                                                                        SHA-512:365B2E6A664B550E74316A7EF6F57ABAF93A599792B7E4C3643EF5FDE4E20A4FCDB1D0F0753F6D4E178897EA2A802D85007408AA13439C2D0DF1B118341EB962
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............N.... ...@....... ...................................@..................................-..O....@..................((...`......L-............................................... ............... ..H............text...T.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................0.......H........ ..4....................,......................................F.(....~....(....*6.o.....(....*6.o..........**.o.......*.~....*.~....*.BSJB............v4.0.30319......l.......#~..<.......#Strings.... .......#US.(.......#GUID...8.......#Blob...........GU.........3..................................................8.........*.h...m.h.....Z.....$...........Z...+.|.....Z...1.Z.....$.....$.......3.D.......|...F.|...c.|.....|.....|.....|.....|.....|.....Z...I.|...}.Z.....Z.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.872731468371506
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GlTx93aWxMW5XPqNyby2sE9jBF6IYiYF85S35IVnxGUHFwPtr06Um:uAWxMWxiNyb8E9VF6IYijSJIVxMPtrxr
                                                                                                                                                                                                                                        MD5:93711124171608F9B42E4B2181484D43
                                                                                                                                                                                                                                        SHA1:E2904EBF5CF652EB87B6AA095CB33F830A506916
                                                                                                                                                                                                                                        SHA-256:CE38259EB6E894014FCF7B86F378F80181C54AC66DB0B6AB50747F7EE1801723
                                                                                                                                                                                                                                        SHA-512:7A309EC9697E31441AE05CEA45454ECC62E6CB09059E033E73751695A24C5BCF3C37494DAD56FE6A1E376FD9E14AB5D6DB259FE5C412E9C99433D1C2ED19980E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......L'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..|....................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....D.......#US.H.......#GUID...X...$...#Blob......................3......................................z...........!...\.!...0.....A.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.,...C.G...K.g...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854587687942687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7YqArxbYWHaW5oPINyby2sE9jBF6IYiYF85S35IVnxGUHF2zfxGoKDM3W:TAlcWHaWOQNyb8E9VF6IYijSJIVxyo/N
                                                                                                                                                                                                                                        MD5:DDAFBA73BDD9BB3E0FB95B743D55CB3E
                                                                                                                                                                                                                                        SHA1:17622DE666A4F3A926F6999D6FF0813A0F0E9788
                                                                                                                                                                                                                                        SHA-256:F955DDF9ED01345FFCD404F723407EB610BBB6BF38BB105D4FEF37B15C27E0C4
                                                                                                                                                                                                                                        SHA-512:C3BBC2D177E750BE5BEED95A49D32653919F02F583BD239E0BD3D5E94AA3E916768E0F3295DBDB223144673A5A58CD19FA59B627C9E556CFFDE273968D898666
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@.. ...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......|...#Strings....p.......#US.t.......#GUID...........#Blob......................3............................................................`.....1.....t.................s.....).....B.................].........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.774908284976976
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zeIZnWlNWTaNyb8E9VF6IYijSJIVxpcstD0nX:iUyo6EpYi60PonX
                                                                                                                                                                                                                                        MD5:332CBA66AF5A16D8B1B987CCC925F190
                                                                                                                                                                                                                                        SHA1:8C884DDEFC71B1B86321D77D8D191A9B8E3D5066
                                                                                                                                                                                                                                        SHA-256:DF7D583A05D06A5CD414A9850A14052F27164BF878FD0AD915B4BE0FCB996220
                                                                                                                                                                                                                                        SHA-512:B9B384FFB78DD18530E50F46FE07A615E2E8733AF5153EB40751C8C444E3EDD24C7B13EC22D39D82A7840F53E86C5F713D1B05B9F05F39884E9EB26295E45175
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............2*... ...@....... ..............................G.....@..................................)..O....@..P...............((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...\...#~..........#Strings............#US.........#GUID...........#Blob......................3............................................................t...................................=.....V.................q.....Z...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25640
                                                                                                                                                                                                                                        Entropy (8bit):6.493960742291261
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:KlQnCMi33333333kj8xe+5PTYM3zUy+CezHjzgKj0uRWOdWmWJdWZ+Nyb8E9VF61:gQq33333333kX+TBi8OGEpYi60/o
                                                                                                                                                                                                                                        MD5:422211D2F5D7ED59687A37ECE190DDF6
                                                                                                                                                                                                                                        SHA1:E4BE0F7A07DB68D8E43AEC62922C4DDD2F60AB4F
                                                                                                                                                                                                                                        SHA-256:642CF9972708FCA429C836F717FBB3FD9C75369B662FA5D8A71D34A9A91DC304
                                                                                                                                                                                                                                        SHA-512:3157502CBD89ADD0AFFC1D90D47E76BD9B676D5A91F9E47E9606B39E31D016F3CE91C4D74755927C805353256C514E66259E4E11798E9F724F2BE3A3E8918DB7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.............RM... ...`....... ..............................DM....@..................................L..O....`..x............<..((..........PL............................................... ............... ..H............text...X-... ...................... ..`.rsrc...x....`.......0..............@..@.reloc...............:..............@..B................3M......H.......8*...!...................K.......................................0..H........(.....-.r...ps....z.-.r...ps....z.(......}......(#...}.....{.....o....*"..(....*....0..Z.............%.r#..p.%..{.....%.rA..p.%..{..........%.rS..p.%..{....l.{....l[...ra..p(.....(....*&...{....*.0..4.................}......+....{.....".......X.....{.....i2.*.0..k..........{........{..........."....(.......X....{.....i.0%.(..........(.....(.......,..(........"....3.....}....*.......=..M......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.849868448509138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:028YFlXulWY/WGONyb8E9VF6IYijSJIVxKD9Pg:00qX2EpYi60p
                                                                                                                                                                                                                                        MD5:CB32C6061E26B386584BD9CB8937DD9F
                                                                                                                                                                                                                                        SHA1:B09E73D9C57310B7BF39F2B7B763EBECF9EFF305
                                                                                                                                                                                                                                        SHA-256:97A015EED33967F01157B982FC96ABCBA333191DFB97B793397EEA9CB1BA2B06
                                                                                                                                                                                                                                        SHA-512:8CC362FC3FD0BCE42AD3E4F22B538E7B9B377C63CE992F30C0559BF1AEBB63701AE36CC76054DF9C0358E451A0E22DFB7C081C8465576B327040F42E932DF4E4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ..............................7.....@..................................(..O....@.. ...............((...`......t'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~..,...P...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................~.....R..... .....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.724457027062359
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ruMLcdQ5MW9MWYONyb8E9VF6IYijSJIVx3g5:6OcSpS2EpYi60I
                                                                                                                                                                                                                                        MD5:0749DE023247060FA69D5005B72D05F5
                                                                                                                                                                                                                                        SHA1:BCD4585CFADD7A3256D079DBB7377562E960A734
                                                                                                                                                                                                                                        SHA-256:F0F2AA6075B738A8895C69713DCC754505E273665A0559BE5F9C06DCB21A3E04
                                                                                                                                                                                                                                        SHA-512:620738F6725672A0BC54D57FDE5D594108AC24AE5C8C743E8C15E18FC84A2170608926576C4C0A51E606DDA9BBA6586EB34AFBDA2A35E1479F1DF6B421000306
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............,... ...@....... ...............................O....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l.......#~..p...0...#Strings............#US.........#GUID...........#Blob......................3................................................;.........................$.....$.....$.....$...[.$...t.$.....$.....$.........g.$.....#...........e.....e.....e...).e...1.e...9.e...A.e...I.e...Q.e...Y.e...a.e...i.e...q.e.......................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.814273587968228
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:AZ7RqXWDRqlRqj0RqFWqENyb8E9VF6IYijSJIVxVaIo6:09qKqjqjuq5kEpYi60C6
                                                                                                                                                                                                                                        MD5:8D2C2CD9B68FF4ACEE1FB4C2834F3B5E
                                                                                                                                                                                                                                        SHA1:66913E4F8AA71EA16BDCCEC87A832AD850D1C9C0
                                                                                                                                                                                                                                        SHA-256:DEEF6D89C2DBE482F43CE4BA7B242660D9565810BB1FCBC2D8A37D8E88090F14
                                                                                                                                                                                                                                        SHA-512:CA27C949CD9A3F0BE7CBFB0D8C82AF3F5FC552F5DBF1F84AB5DF25FCCFA0917D23955D92E64D5C7977FE26D37555107CC8FD7EB3834080DE0C5667419076298B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............*... ...@....... ..............................7y....@.................................X*..O....@..P...............((...`...... )............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................*......H.......P ..P....................(......................................BSJB............v4.0.30319......l...L...#~......l...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0.....%.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20008
                                                                                                                                                                                                                                        Entropy (8bit):6.625657997130846
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eNBMbljRC+lgfS1RPWYR1Rw0R9WYRPWYRDRj0R9W7eNyb8E9VF6IYijSJIVx3xH:evMhF2SzNzwu/NljuQmEpYi60B
                                                                                                                                                                                                                                        MD5:47C3B21FFC0966C506F850F723D358D0
                                                                                                                                                                                                                                        SHA1:033F53B07F6F3D17BEDEF483B251DFA41EE3258F
                                                                                                                                                                                                                                        SHA-256:A53DFA563B37E80C35B139F60B86231F66A64BD3856ECC3A00732C2EE1DB84C5
                                                                                                                                                                                                                                        SHA-512:8FE75506398A62EBA831331BFED8F32C84BC6F4641D6DE6C98F6152BC8CD1AFB3B3C0AA6A49F803791D3989700C99C5EC511584ABD0112B239D35B56687C0C8A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............6... ...@....... ....................................@.................................a6..O....@...............&..((...`.......5............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`.......$..............@..B.................6......H........"..H............4......(5........................................o....*"..o....*..o....*"..o....*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*...0..K........-.r1..ps....z. ...@3.(....*. ....3.(....*. ...._,.(....rI..ps..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.899758032838543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LZ4RLWdRfRJ0RZWDeNyb8E9VF6IYijSJIVxlyFG:LZK0pJuImEpYi60o0
                                                                                                                                                                                                                                        MD5:88B0416D84AC74BBE8FD5A5A4CF0A0E6
                                                                                                                                                                                                                                        SHA1:0D158BA1BAA4F015ED81F70196F132F5E3FD08C5
                                                                                                                                                                                                                                        SHA-256:983A680ECC3A12546900C6882115AF8C83E534BA238A329C221001294447EE4F
                                                                                                                                                                                                                                        SHA-512:1893D52DD0E8C8D2A9DBA073D6888DA0972AB9C067C20F061CE8F2988B4A416E2C1763F6959AAE4BEB9D7B0B4FC46CC9DF44F619838FB6120CEB87D41D48B1AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ...................................@..................................)..O....@..................((...`......h(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3......................................................m.....A.{.........U.................T...........#.....l...........>.....'...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.797577854527455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:2Fx+WTIEfW5uP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFz9ZIQOoz:2YWsmWIyNyb8E9VF6IYijSJIVx39mBe
                                                                                                                                                                                                                                        MD5:2857137B07AE003E4409FF3C2877BF8D
                                                                                                                                                                                                                                        SHA1:91968C48E06B6F971A6B53C98BC280441381870F
                                                                                                                                                                                                                                        SHA-256:614777135464E413B1B6F8F5C408B43E6E5247F412DD49DDC1BCB9869F861857
                                                                                                                                                                                                                                        SHA-512:7C9C7D880BDBAEB2F26CAE0F060C525D21041442159EE0C4AF3B1398BED0B04525095E1367C559DA8A4D363DF10245E80C9DD2D15E38B902B41D295713B3BEF9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............*(... ...@....... ...............................(....@..................................'..O....@..@...............((...`.......&............................................... ............... ..H............text...0.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ...................... &......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................z.....N.....".....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........:.....C.....b...#.k...+.k...3.k...;.....C.....K.....S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):105000
                                                                                                                                                                                                                                        Entropy (8bit):6.382210592092604
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:0vc/U5yNq2oS4Zd0LE3YigSFvhoZO2K3aAYH2TfXmNoJXBA76s:0gk1tiLMYiDFvxqrWDWNoJXBAv
                                                                                                                                                                                                                                        MD5:A0829359A62989682E11D24CC4EBF6D1
                                                                                                                                                                                                                                        SHA1:C88788DC49E75E7749EBAFBD7F4DDF98C0D1A242
                                                                                                                                                                                                                                        SHA-256:7EFCC3AC0DD72EF7C16D28B1359F1FDD68980279FFAA3BAE604190DDE2609248
                                                                                                                                                                                                                                        SHA-512:C9218E628DD1102A283A3C24EF480BCEA55EAECF603C1292387A8CD798DC9DF329A64C3B1AB423364CFA8A5168CE4A9DBCB7C6D6A836AC252A504AD888AF8FB0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..d...........W... ........... ..............................S.....@.................................5W..O....................r..((...........V............................................... ............... ..H............text....b... ...d.................. ..`.rsrc................f..............@..@.reloc...............p..............@..B................iW......H........................9.......V......................................j~....%-.&(I...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r7..p.(....*2rs..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r=..p.(....*2r_..p.(....*2r...p.(....*2r...p.(....*2r...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.DriveInfo.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.854418584832598
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xKcuz1W1cWliNyb8E9VF6IYijSJIVxLnFbY:Lu8niEpYi60bm
                                                                                                                                                                                                                                        MD5:D3F7B9A0B11352E419B1CDBCF83015E7
                                                                                                                                                                                                                                        SHA1:12C4D615CC63861DCD6F36E142D61C2BC78A5845
                                                                                                                                                                                                                                        SHA-256:B0B8B8A3C2EE091A771B4B2C845253D40D649405A078BEC4FD52017288B44B68
                                                                                                                                                                                                                                        SHA-512:ADC3092DE4F50DA7E5786DF6DD7A083A4C7B96DE3C2208A2C08EA9F4D670D6F2450CBE3EFCD11CBEBAB858D3CCA921B8A6B3DA9702416FDA87AAEC60246576D1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..P...............((...`......H'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..x....................&......................................BSJB............v4.0.30319......l.......#~......H...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................................p.....D.....9.....X.................W...........&.....o...........A.....*...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8598164148424745
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w+SWikW0uNyb8E9VF6IYijSJIVxAd5qIAl:w+eGWEpYi60CWl
                                                                                                                                                                                                                                        MD5:AE3A14237FFFAA2318D5C49B9D25384A
                                                                                                                                                                                                                                        SHA1:C60BF9017A83802D6F30F67C10F3F359862F94AF
                                                                                                                                                                                                                                        SHA-256:877A64788C32983750F89E1069E80F18B5E8CA1503BDD133E49166476BAB8AF4
                                                                                                                                                                                                                                        SHA-512:0E0AEC9F717C61853877B2EAAB58BC74C07EA8B65920E80A97F0B2E8B5B8723457E9B6EFD965E25DCFCD93C006371680579B455CE2646A852D153AB104210A08
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............(... ...@....... ...............................|....@..................................(..O....@..P...............((...`......d'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....h.......#US.l.......#GUID...|.......#Blob......................3......................................................y.....M...........a.................`.........../.....x...........J.....3...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.906965523502173
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:IDxxhREWzgW5APUNyby2sE9jBF6IYiYF85S35IVnxGUHF76am92w:8AWzgWSsNyb8E9VF6IYijSJIVxXfw
                                                                                                                                                                                                                                        MD5:8322245B353A448868701EB5CEFF0366
                                                                                                                                                                                                                                        SHA1:BB03ECD3AD48ED71DC2D74CBF294D106017A0C61
                                                                                                                                                                                                                                        SHA-256:08DD4875CE67D7DD68B8049A35C5D156ECF8E5E609147A64F42B543A8ED69850
                                                                                                                                                                                                                                        SHA-512:307A076DF0487DA10750C0C62FB17ABC4E528CBB98D5C63660DC7D9CD0728EAA58BEDE374BA96EB454FD1FA979AFD35C00F9472231DEDA8B0669392CF53658BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@.................................p)..O....@..@...............((...`......8(............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................)......H.......P ..h....................'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................C...f.C...:.0...c.....N.................M.................e...........7..... ...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8644676373526705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JBLRWbYWziZNyb8E9VF6IYijSJIVx7cvS/:JB2xi9EpYi60Yq/
                                                                                                                                                                                                                                        MD5:F6EF07D79AFC7E675FA5EBDCC7D79B7F
                                                                                                                                                                                                                                        SHA1:9B554BD08408D81C7A1C8BF75BC3F14296B434FE
                                                                                                                                                                                                                                        SHA-256:C6BA6C36B72BB0958CB87F31688600C2BBB2C1BADB0F37A736FEA63EF1246D82
                                                                                                                                                                                                                                        SHA-512:785693D1EEF499896C92307D99B09B96C3003B44C8AB8A6309F4AAD11FCDE8E2E05ED473C4035EAA7895B2D65E705F12214DC8112865CB4F490538D0EE49F275
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0.............b)... ...@....... ....................................@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................D)......H.......P ......................X'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US.........#GUID...........#Blob......................3................................................../...z./...N.....O.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851248772240086
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:7ZxcMRW4/W5TPPNyby2sE9jBF6IYiYF85S35IVnxGUHFyF5yjfvu:nHW4/W1HNyb8E9VF6IYijSJIVx+ifm
                                                                                                                                                                                                                                        MD5:1674279C744E0AC92C37E8D628AFCC58
                                                                                                                                                                                                                                        SHA1:80BB542E1ACC2772680BCE8DA7877F2E30060964
                                                                                                                                                                                                                                        SHA-256:1826483303E6F886E4E7179FAD0B95992E626CDD0872EAA162F2F1290F752331
                                                                                                                                                                                                                                        SHA-512:4FA1EE9BB253447583021069AB844E0D99F5235BE33684E5F867EE51C171E0B2C0B0F43711525A554EE39A1414FE863CA8C32083608129B294654C35521FA58B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................X.....@..................................(..O....@.. ...............((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......\...#Strings....`.......#US.d.......#GUID...t.......#Blob......................3..................................................+.....+...^.....K.....r.................q.....'.....@.................[.....D...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910107223210915
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4vk7hWmCWKpNyb8E9VF6IYijSJIVxu4kG:4s7/GtEpYi609
                                                                                                                                                                                                                                        MD5:103C951C64757F344A50EEC3AB210780
                                                                                                                                                                                                                                        SHA1:3406E20443764E718D0AD3D0672575B0B514FCFF
                                                                                                                                                                                                                                        SHA-256:49EB49ABA189D221520F2CB0C86160BC917662FF2651CEEB8AF4B2155DE3EE99
                                                                                                                                                                                                                                        SHA-512:DB55DE900E686A43CC68A74B39D9FC48BC4CEF1B504622C6B9BD2687971E45EA689F33B034C1316247355BAB34F7113E6E67FC844922164303AB04E99F87E012
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................h)..O....@..0...............((...`......0(............................................... ............... ..H............text........ ...................... ..`.rsrc...0....@......................@..@.reloc.......`......................@..B.................)......H.......P ..`....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....8.......#US.<.......#GUID...L.......#Blob......................3................................................ .C.....C...w.0...c.............................@.....Y.................t.....]...................*.....*.....*...).*...1.*...9.*...A.*...I.*...Q.*...Y.*...a.*...i.*...q.*.......................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.876264376456095
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:GUiW2xf+C/WCUW5wP5Nyby2sE9jBF6IYiYF85S35IVnxGUHFLZiDCENuF:0GMWCUWiBNyb8E9VF6IYijSJIVxRFj
                                                                                                                                                                                                                                        MD5:C8207749CB8E4F9DE161977613BB707C
                                                                                                                                                                                                                                        SHA1:3FC2B5274331FD3029A6B406D2F9D78D2167F365
                                                                                                                                                                                                                                        SHA-256:C00FC1D2AF59900AAAC2B8F146519F19E4BAECDE6C2FFB570EB93F0429D67055
                                                                                                                                                                                                                                        SHA-512:3416C0FB1FCF6A647D62C0244B2A2825F91151706CA3D53C687CA6C7CE9B26CE278E752650BC5042368830FD8D89B76B0A40C22114FFB4CC15BFFC9137C5CD47
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................V.....@.................................@)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................t)......H.......P ..8....................'......................................BSJB............v4.0.30319......l.......#~..X.......#Strings............#US. .......#GUID...0.......#Blob......................3..................................................].....]...T.J...}.....h.$.....$.....$...g.$.....$...6.$.....$.....$...Q.....:.$.................D.....D.....D...).D...1.D...9.D...A.D...I.D...Q.D...Y.D...a.D...i.D...q.D.......................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8553217627762395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:JBhwI7WSQWEQNyb8E9VF6IYijSJIVxCtgBo6:JDwIBSoEpYi60j
                                                                                                                                                                                                                                        MD5:24D56DB5DDD0839D6A08D68D754B2F5D
                                                                                                                                                                                                                                        SHA1:1E6BCCAC0382417F04B829FC9F64E1988715620A
                                                                                                                                                                                                                                        SHA-256:F8EFFD4778723BD663AC172C09DAEAC2F55727F9865F4D204D275B7A2828907D
                                                                                                                                                                                                                                        SHA-512:B05261B53928A15E38DDB74BEA54FEC7BE183AAAE62BAED261D16FFCE4E63B7229B9940F6BDED12DBBE846B943D1106023C4BAF16D99E823842D9542B26D35F3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................T....@.................................l(..O....@..P...............((...`......4'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P ..d....................&......................................BSJB............v4.0.30319......l.......#~......D...#Strings....8.......#US.<.......#GUID...L.......#Blob......................3......................................................f.....:.....2.....N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.867317071449741
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9yvPRW4lWvKNyb8E9VF6IYijSJIVxnKW/0:E39oKEpYi6050
                                                                                                                                                                                                                                        MD5:E46BF127588B1650BC3567BEACCA140A
                                                                                                                                                                                                                                        SHA1:7517514337BF161472B69EDA4AC146F9ED7614AD
                                                                                                                                                                                                                                        SHA-256:99FA3FF2EB4780EE974A8746F740C5996F1045F96E7B84C0D64043133DE5F1CC
                                                                                                                                                                                                                                        SHA-512:2117C8CE58557196306E01EE3928DCD7C5F621EA363660519AE366D8D9B4DDF2A4E8DF008466416F5C3794B737C53BCD70BFA022196BD35976B063B53914C685
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...@..Y.........." ..0..............)... ...@....... ....................................@..................................)..O....@..................((...`......l(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................f.....:...........N.................M.................e...........7..... ...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.&...K.F...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.820108756272989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:N6RW6eWX8Nyb8E9VF6IYijSJIVxiAAnvP:N67XcEpYi601AvP
                                                                                                                                                                                                                                        MD5:8474250197D87865E3B304FFCBB871F3
                                                                                                                                                                                                                                        SHA1:66F807BD06287AFC74D288568C2A7A0E8147B108
                                                                                                                                                                                                                                        SHA-256:5ED289F398B5C896E31D02DE4B488A244B791E6133390C13E18DCB70C8F7FADE
                                                                                                                                                                                                                                        SHA-512:0CA7CB50DA69876D3B1FE69A0A177C8DC75D4646DFA8BAABD4FF7D0AF35215B340B40C41F48655BDDB1F05EF5F7454CA03071B30492B0ABC2C32F09B98009686
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............-... ...@....... ...............................Y....@..................................-..O....@..................((...`......P,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................+......................................BSJB............v4.0.30319......l.......#~..\.......#Strings....\.......#US.`.......#GUID...p.......#Blob......................3......................................5.........c.............z...............(.....E.....................................Q.........../...........b.....b.....b...).b...1.b...9.b...A.b...I.b...Q.b...Y.b...a.b...i.b...q.b.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852041615311748
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:MSUP9W70WxhNyb8E9VF6IYijSJIVxu1cvO:pUe/lEpYi600D
                                                                                                                                                                                                                                        MD5:CB989B41B2BFDD3D28CCE8D0CDAFB396
                                                                                                                                                                                                                                        SHA1:461A0EC79CF28A3E1D1D0A2458918340230BD668
                                                                                                                                                                                                                                        SHA-256:A142F12BD409D63B0DE3AB42B3B609B2BF1A4919D88D8D127A3DF42BBE32344D
                                                                                                                                                                                                                                        SHA-512:7A866BB5CAC3B1BB68F417D2A1B08B3A8F25F615D48EB9564F538F602A21BEF3239E5E232B7895D54DAFA7A9B5ECDC226B318D97CE0427FCA3542CCA47AFFCFE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................YH....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...$.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...x...#Strings............#US.........#GUID...........#Blob......................3..................................................&.....&...p.....F.............................9.....R.................m.....V...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.851763577766904
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:D8yg07W0/WtTNyb8E9VF6IYijSJIVx/omHC+GK:DBHEPEpYi60A7+5
                                                                                                                                                                                                                                        MD5:F48F964BF4CA09CE820025E8FB9FD286
                                                                                                                                                                                                                                        SHA1:2F0DCFEAEED5DA6B5A3EA412484CBDA1215097B5
                                                                                                                                                                                                                                        SHA-256:B917D1093FC62C8AC7F09C0C5F5F5D6B8819C514CEAE95F1DBCA1C0F6EF3E90F
                                                                                                                                                                                                                                        SHA-512:7220B4A0B5874F6AD2B23F60935CCE8BDA06071F4300678B644BD052E8569DEF5686DEF9EC98D9BEB8868C9C64C7F8BB8B1BF58341B007AB0CADF40C994C4975
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ...............................8....@..................................(..O....@..................((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...d...#Strings............#US.........#GUID...........#Blob......................3.................................................."....."...m.....B.............................6.....O.................j.....S.......(...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.81431788734543
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qe1WmRWgFNyb8E9VF6IYijSJIVxaHgPEA:qejjBEpYi60kqEA
                                                                                                                                                                                                                                        MD5:21BEF3F4F15A1822C8FA427F40E2E79D
                                                                                                                                                                                                                                        SHA1:141C4EA316AB0545A466A0CA4C5F5062A0E0A68F
                                                                                                                                                                                                                                        SHA-256:BEF088DBBF9483B2548ED211FC1CE0FFA16AE4B91668186F31608E3FAA1E7FFB
                                                                                                                                                                                                                                        SHA-512:5A7BCE1DD016085FEB71B75324FBDC0A916A8146328CEA1A37A8941C368031C1C4DAFAD122276CA6044F66886454AEF2DBB6192BCF2BC861807BFDB3309385F2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................J.....@.................................p(..O....@..................((...`......8'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..h....................&......................................BSJB............v4.0.30319......l.......#~.. ...0...#Strings....P.......#US.T.......#GUID...d.......#Blob......................3............................................................f...........z.................y...../.....H.................c.....L.......,...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.(...K.H...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.16075284902631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:7UGrszKKLBFa9DvrJGeesIf3afNs2AldfIlq+:6BFd3/aFs2P
                                                                                                                                                                                                                                        MD5:FA5D0EC256AC2E57755EDCC47058A8A8
                                                                                                                                                                                                                                        SHA1:93061A3747CFBCAE4C5C5FFFDCF6546930CAB1BE
                                                                                                                                                                                                                                        SHA-256:7AE4AFC8B33E5E993C03C7725A8812576696B9B7C95F9D672F8F939174A41B89
                                                                                                                                                                                                                                        SHA-512:9455E1F16199FCA559F4B4FDAD752E565BE1F30005368FC22BAED4BF88341DC450AEE34D61D4B22B3AC2C44E418143433DC6855A121EB79E5D7F55CB2B927AFC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......{D....@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):192552
                                                                                                                                                                                                                                        Entropy (8bit):6.11445818411225
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:9eruQlNGOhYq0AQcTvankc+8lbKta4FUPAT8xpRI454I/Kv6RpZ8dwPSgSbb:YW60VcTvakcXcApOL
                                                                                                                                                                                                                                        MD5:1AB2879DB7DA24FAF99F379A67F6F730
                                                                                                                                                                                                                                        SHA1:AE8E5D2A16A5942B76F4F419A3237D9D12744BF6
                                                                                                                                                                                                                                        SHA-256:470915316E008128CA5270D2729B9B242B18AC867A9F89977205648E52C3CC89
                                                                                                                                                                                                                                        SHA-512:19176F685CBCEBCE0B2936D1C89776FBC9E8C676C3DD86D802AB6264ED05FC500925496827B1F0C591B23EF7B96CB52357E54EE406D218F95F11DDFF5FCE7362
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0.................. ........... ....................... ............@.....................................O.......h...............((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc...h...........................@..@.reloc..............................@..B........................H........$..H...........$....,...........................................0..,........ ....1.r...ps0...z.............(.....s1...*.0..l........J.2..J.o2...2.r...ps0...z..Jo3....%36.o2....JY.2*..J.Xo3.....J.Xo3...(...... ........J.XT.*...J...XT.o3...*..o2....Y./..*..o3....%3 ...Xo3......Xo3...(.... .......*.*..0..=..........J...XT..%....J...XT.~..... ...._.c.....J...XT.~......._..*....0............02...91...A2...F1...a2...f1. ....*..91...F1...aY+...AY..X+...0Y...02...91...A2...F

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.834910700767253
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:F6ZWYLWBwNyb8E9VF6IYijSJIVxNNLkjrl:F6l4IEpYi60Wx
                                                                                                                                                                                                                                        MD5:BEC6497FC12067E3DA1309AC1143B464
                                                                                                                                                                                                                                        SHA1:BEB2D6D9A556303DA98A3D316F873ED52B1264AC
                                                                                                                                                                                                                                        SHA-256:0A6A71480332A3B00B8FD30F78136E01F1D90E72FFF130B85B26F309CEAC9B75
                                                                                                                                                                                                                                        SHA-512:1DBA61D1F8011A9500125CA4E05F9D8F677C712AD4044F648718AD7FE42183F7292DD0952311AA1805699B3D19E37EBDB283B03FA979ECBBEF81AAEB66D722BC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................T(..O....@.. ...............((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......0...#Strings....$.......#US.(.......#GUID...8.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.791328656262828
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:41W1WMQWkMNyb8E9VF6IYijSJIVxuHYOj:j1yMEpYi60u1
                                                                                                                                                                                                                                        MD5:109F46F97EF7D2A7181E6ABBAD4C1A73
                                                                                                                                                                                                                                        SHA1:E91A52D5315AA20C244C7E604B5D0A20D2C54A97
                                                                                                                                                                                                                                        SHA-256:0C10372E5CF857E8752AA4799381311FA84C04C83CBBF7B8EA80361617771103
                                                                                                                                                                                                                                        SHA-512:388A28D9C85625EAC37C848F8CA5643ECB91D20823493BB4B4198AF143263749677040A40ECFFC97F4E6C6A94E8A76AC8F9172BD821C4EE9FAF3F5123D26C64A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............,... ...@....... ..............................dY....@..................................,..O....@..@...............((...`......p+............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................,......H.......P .......................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....t.......#US.x.......#GUID...........#Blob......................3................................!...............E.................%.................'...........e.....~...........................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.:...K.Z...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.832241980610204
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:rQ/rx72WSKW5TPZNyby2sE9jBF6IYiYF85S35IVnxGUHFA/PLtL:0dSWSKW1BNyb8E9VF6IYijSJIVxsLtL
                                                                                                                                                                                                                                        MD5:991020E4E7768EFA290D127DC5D88C4D
                                                                                                                                                                                                                                        SHA1:CD1583C286DEA25E234B94F5D39CCB571A03D2AA
                                                                                                                                                                                                                                        SHA-256:375D1FD5653B2BB866435DCFCB9387D34E43A2A8C779FE17A6F7C42986EED973
                                                                                                                                                                                                                                        SHA-512:8754C64EEA0E131B90A16B261CB4AAFCEB7F663AD00E1CD6DC463CFEC7AFA3497B9756AA1B8947E3FDE8CEFC098BCCBC334B67633A34FF467F1EF10F4BA15C1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..................((...`......X'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~.. ...L...#Strings....l.......#US.p.......#GUID...........#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.,...K.L...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.744707960924502
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:xJEYA2WkIWcqNyb8E9VF6IYijSJIVx1IZz2C:xyYA8CqEpYi60+ZV
                                                                                                                                                                                                                                        MD5:609041C0188E3DF3A8742E479ECB3B48
                                                                                                                                                                                                                                        SHA1:A9D1FEFE61F6B91B9D87F775150119D0A3673886
                                                                                                                                                                                                                                        SHA-256:6DA72A845BED9581C538BAB8684C31BCA00B4DAA7EDBD7B5D3DD5F92C7F6C799
                                                                                                                                                                                                                                        SHA-512:C5D7AFCC83A6D145AD30D2D804562461E9E695AE93D1C4F05760EC0B7D316CA1998B1C4AB912E4039FB1ADAABB973FF559168F8EB2EDED3C58D6AF89DA5EE0E9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ..............................R.....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l.......#~..|...x...#Strings............#US.........#GUID...........#Blob......................3......................................$.........N.U.....U.....-...u.................0...........n.........................>.......................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874085333467112
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:Vl0qgopJ5xBcWe4W5JPwNyby2sE9jBF6IYiYF85S35IVnxGUHFVOEQkuNq:XJGWe4WTYNyb8E9VF6IYijSJIVx5OzQ
                                                                                                                                                                                                                                        MD5:ABD711617A4E2C64977A3ACE0123CC84
                                                                                                                                                                                                                                        SHA1:03188191D332E3222E1492CDEC32930A1D705C25
                                                                                                                                                                                                                                        SHA-256:633FC7289FACBD96052CB7A51303633FFBFAC2110A3C6101589E46D4A655B95A
                                                                                                                                                                                                                                        SHA-512:E1C5A8950DD581E301007F1BFCDAA483F607777FF0E648E38C3D478B033680661CC199A603D65F2D7D3B08695897026A36FAD9D1D3CBA3CA50D266569B2EB091
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ....................................@.................................0)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d)......H.......P ..(...................x'......................................BSJB............v4.0.30319......l.......#~..d.......#Strings............#US.........#GUID...........#Blob......................3..................................................4...~.4...R.!...T.....f.................e...........4.....}...........O.....8...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.783878066091884
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:adW1w3WesWn3Nyb8E9VF6IYijSJIVxV4yBM:P1wxd7EpYi60+MM
                                                                                                                                                                                                                                        MD5:7C34FE56430A8C273E6DC963445A13C6
                                                                                                                                                                                                                                        SHA1:999FDD2BB131DCB5882D6C6E5C53FF1946D1C3C2
                                                                                                                                                                                                                                        SHA-256:CB75C698D30AF2515BE2D804F5C99F6D00CA677861DD50D06527BAA178491622
                                                                                                                                                                                                                                        SHA-512:4623C99D59BCE3619CC473EBED84257BD96DE3BAC892DEC4668FA89E6FFDB3B6F40E0093D9CBC674913D396575ACD4424A13B729A6A6B8BC509D1C75D92DD1FE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............~*... ...@....... ....................................@.................................,*..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`*......H.......P ..$...................t(......................................BSJB............v4.0.30319......l...$...#~......t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.<.....<.....<...C.<.....<.....<...[.<...x.<...-.......<.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.0...K.P...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):24616
                                                                                                                                                                                                                                        Entropy (8bit):6.595542177965201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9ylNGlfdqj5531HJTABhf8g2MkO1ICMbmiT2Y4Y3ocWS9sWvW8YsW1gNyb8E9VFN:9yp12Bhkg3qnV/srYEpYi60RZ
                                                                                                                                                                                                                                        MD5:2F2705A28E19293E2918EC4A3490B78F
                                                                                                                                                                                                                                        SHA1:7BC61FDDC75486A8383D94E7E624F479041010F2
                                                                                                                                                                                                                                        SHA-256:CB74B1AA7057AC369FB545CD0DF01AE8A76CD0650DC01F9DC2CEF980D7F9FDE1
                                                                                                                                                                                                                                        SHA-512:AA225660906EC89E5D1358A1CEAF661F89EA1FFE14CD6B69D86D7C9E7249E06854BCA3B228FB3053155A101BBBECBAA2843CB50BD23B41C8257C0E04D9B43EF6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..*...........I... ...`....... ....................................@.................................gI..O....`...............8..((...........H............................................... ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............6..............@..B.................I......H.......H(... ..................HH.......................................0..J.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%......o....*...0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..K.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%.......o...+*..0..L.......(....~....%-.&~..........s....%.....~....%-.&~..........s....%........o...+*.0..L.......(....~....%-.&~..........s....%.....~....%-.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.852674050741342
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:YHPAW1bWieNyb8E9VF6IYijSJIVxJ54bg:crTmEpYi60V
                                                                                                                                                                                                                                        MD5:08ACDBB77FAF00362B38EEE3B1021005
                                                                                                                                                                                                                                        SHA1:83C33BA5ED2FB016E78EC21EB9ADD43F7D3CD86A
                                                                                                                                                                                                                                        SHA-256:78E6E083FF2741E8DD6AD3CD22E857354BEE8CB943E1416309E63333F251C791
                                                                                                                                                                                                                                        SHA-512:B61F0473190AE6C221B78956A9AB76F93C96F9A8E5E79D1FD259862037193D871ECD4924ACA3B3449380013D572FE5EC3473E31CAACE37C4D0FE491B33063E6A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................-....@..................................(..O....@..P...............((...`......P'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......P...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3......................................z...............\.....0.....3.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8526653705597695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zNoqWD7WJlNyb8E9VF6IYijSJIVxeYzRisP:zNofwhEpYi60VosP
                                                                                                                                                                                                                                        MD5:94F84A310A3300FFE8047189F2A6CCBC
                                                                                                                                                                                                                                        SHA1:4CC23D897F9F90E36EDDF224E54D69AFCAD0F395
                                                                                                                                                                                                                                        SHA-256:E05FBD11DC5FEC61899019D7836396A7C025E0D4FCCD9A0EB5EAA91D834EFC73
                                                                                                                                                                                                                                        SHA-512:43FCB0E681225AEE222CCC1EA3FF63A6AA4DD141653C910D3AD40C638A6BBFA6E2C8406CCA01D4FC2CCDB7465B53D33ADCCCCE320AB6A15207FAC8580AA3045F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ..............................cN....@.................................|(..O....@..@...............((...`......D'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P ..t....................&......................................BSJB............v4.0.30319......l.......#~......X...#Strings....L.......#US.P.......#GUID...`.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.864685620785427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:GGETSAWUEWSWNyb8E9VF6IYijSJIVx6tEb7:sT18+EpYi60L7
                                                                                                                                                                                                                                        MD5:C0EB2AA399EC2C0D6ADB4EE6C5126636
                                                                                                                                                                                                                                        SHA1:EADC9C676E6408FBE7FAAB773E33702E894979E9
                                                                                                                                                                                                                                        SHA-256:50B1FA1556FA8989C11BE79BEDF036B883830E8454E4A4228A327122BCF6FBFF
                                                                                                                                                                                                                                        SHA-512:70A3DE2B1C4764A8871C00BC23CFCEB8C0CFDC4A9EA5AC66645CC339B655374A283BD2CFD9705472D61805370A5C8A3345E5B8557A6DB6D79049D709761F2204
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............B)... ...@....... ..............................".....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3............................................................T.....,.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.2...K.R...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.51209301175418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:uPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb767:uWw0SUUKBM8aOUiiGw7qa9tK/Ybs
                                                                                                                                                                                                                                        MD5:ECB5AAC58404396112B354062BF74337
                                                                                                                                                                                                                                        SHA1:C8B6C9CF0D7AC71BF12C2CA870BD329A4FEF71B8
                                                                                                                                                                                                                                        SHA-256:754A2559DCB18CC759A00E1DF30EC834FDC07DCBB781AB141643ADAA5E0D2C80
                                                                                                                                                                                                                                        SHA-512:DC36305F501A35467310D2820FD2AEA642779DF19EEFC084D01EEBE28AF2831A8B5589EFC0693EB662A7CCAD0942926A9D55347963CC771C0D0D09C2B95DB1E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ...............................%....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.849436982000894
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ZcDagtDApWSKJWFrNyb8E9VF6IYijSJIVx4LsvqGQHU:ZPKBKnEpYi60NiGQHU
                                                                                                                                                                                                                                        MD5:3C31EE2B27F16A4B2452DCE791BD6F62
                                                                                                                                                                                                                                        SHA1:76DED6E5B11CB942BE9C4B87EF546071DD6F6AD1
                                                                                                                                                                                                                                        SHA-256:54ED63281C8D38FADFD8E7601782996FFBD9DAAD4C710E20C90F4E266C4C6F04
                                                                                                                                                                                                                                        SHA-512:56E6A7B7AC94493A86D68C35C910E92B895533AD694A416E3E6491E14AAA97491195A6C1D3F3DEB3C5A7CECEDFF4EA0EC65D495A65C652AF82F935F1F69122C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............+... ...@....... ..............................S.....@.................................0+..O....@..................((...`.......)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................d+......H.......P ..(...................x)......................................BSJB............v4.0.30319......l...x...#~......$...#Strings............#US.........#GUID...........#Blob......................3......................................x.........w.o.....o.....\...............<.....Y.................................................G...........V.....V.....V...).V...1.V...9.V...A.V...I.V...Q.V...Y.V...a.V...i.V...q.V.......................#.....+.....3.....;.....C./...K.O...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.858418738536182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:t6NxhqWD4W5wP6Nyby2sE9jBF6IYiYF85S35IVnxGUHFAyboMFHR:AIWD4WmiNyb8E9VF6IYijSJIVxM0nHR
                                                                                                                                                                                                                                        MD5:E404E9D0E1857318AD4555418621D2C3
                                                                                                                                                                                                                                        SHA1:2A3D60967A08001EFD9E0B2E32BC8E98127794A4
                                                                                                                                                                                                                                        SHA-256:202A54DF5243F3362BB4DA4C093654DEDE7F94E43B050E20FFB22291418E6E66
                                                                                                                                                                                                                                        SHA-512:7A02392420816325DB8930339255CEAF51C11C0AD03501CEA6F226F365740D2BB98C99AA05D04F5A4C4F239A77CC6B40A076BE093BE19C4A1E65A42231AF7C5E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................p....@..................................(..O....@..@...............((...`......\'............................................... ............... ..H............text........ ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....d.......#US.h.......#GUID...x.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.7840723636197335
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:aW2KxVSWzQW5qPFNyby2sE9jBF6IYiYF85S35IVnxGUHFh/JZlGWxX5m:NMWzQWc9Nyb8E9VF6IYijSJIVxN/JvW
                                                                                                                                                                                                                                        MD5:5F1F5EC1E68D69D5C768D0A7707286E7
                                                                                                                                                                                                                                        SHA1:EEB435A9A79D06584231F4FD91734CFC94C351C2
                                                                                                                                                                                                                                        SHA-256:C9720AE379F8069952500F75C3191E311B1537D8515047B2236E9A5B35C60390
                                                                                                                                                                                                                                        SHA-512:4FE171C36EECADDFBE6B068326A05D7465BA8A6C4A81D2885D6BD94A628393006AF4CB15CB12AC04B6E8A42FBAEC73C1F43BA5A92180B3A109607CB47302A0F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............N*... ...@....... ..............................l?....@..................................)..O....@..@...............((...`.......(............................................... ............... ..H............text...T.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................0*......H.......P ......................D(......................................BSJB............v4.0.30319......l...L...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................z.....N.....:.....b.................a...........0.....y...........K.....4...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.9...K.Y...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.72570998567299
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9xDHKWAMWcpNyb8E9VF6IYijSJIVxlPK0h:DD8GtEpYi60Vp
                                                                                                                                                                                                                                        MD5:6DC964E9A729F59D3F7ACDB9A27C9C45
                                                                                                                                                                                                                                        SHA1:8983467CABE35B6C46CFDE8E8EFD548BF498B061
                                                                                                                                                                                                                                        SHA-256:D4A35F9CB91B7910C8C247DD7A07BBAD7D625787B82C4117712BA9FEB6055912
                                                                                                                                                                                                                                        SHA-512:A0511371083A659F0B344DB5A92280E2B98CFDCFC9C4075F40E4DE295184DD189E22ED563D04D2EC547B4363549AAFC34E51F80B3D6621D0A449DD746A0C2C4F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............r,... ...@....... ...............................l....@................................. ,..O....@..................((...`.......*............................................... ............... ..H............text...x.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................T,......H.......P ......................h*......................................BSJB............v4.0.30319......l...H...#~......D...#Strings............#US.........#GUID...........#Blob......................3................................"...............1.............{.................................Q.....j.......................n...................u.....u.....u...).u...1.u...9.u...A.u...I.u...Q.u...Y.u...a.u...i.u...q.u.......................#.....+.....3.....;.....C.....K.N...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.831254121146028
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qLNBEW6pWx7Nyb8E9VF6IYijSJIVxdT1qeyOPx:qbMSXEpYi60pLx
                                                                                                                                                                                                                                        MD5:A2C4B2E2B08F80F9292FC60801A8C757
                                                                                                                                                                                                                                        SHA1:C058F7FB26416722F27C7AA50D9DBD53DB012C7B
                                                                                                                                                                                                                                        SHA-256:E9A7AC50555C363CF88675038991DF98D97B4E074F394A0496DCABC00D66770D
                                                                                                                                                                                                                                        SHA-512:58958CC25797272042659CD25F06C9211B164F2A522F03ED53B24B11357E0A5A6FF932A5F1C398AF223AFEBFF96F0623B5EBD70AC7EE0A42C21701658453A513
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ....................................@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.884487188270577
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:yKkHKW/tWBpNyb8E9VF6IYijSJIVxkNKuTWOr7o:numtEpYi60Wldo
                                                                                                                                                                                                                                        MD5:5DB94DA2D50F9660D9F749BE056434B6
                                                                                                                                                                                                                                        SHA1:4C1DAE91099886424AB3A813D44FBA6A636CF176
                                                                                                                                                                                                                                        SHA-256:30CAF11BCC29237D52C83374EE580F0FF4B7A9DCBF21CD75A1B17B2B11D7B2E8
                                                                                                                                                                                                                                        SHA-512:EABF9832024E1505CBC238D2F9D4A777CC6DF7797340EB25DE8DBEF7C4C4682A9502B143BEC3664643F3888647DA606D9A172B21D71DD478040D4F3A51B3732B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............)... ...@....... ..............................FP....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...4.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B.................)......H.......P ......................$'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................W.....W...R.D.........f.......................=.....V.....}...........q.........................>.....>.....>...).>...1.>...9.>...A.>...I.>...Q.>...Y.>...a.>...i.>...q.>.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8318443464700875
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:TLnfIWqrWx8Nyb8E9VF6IYijSJIVx7Dq1ba7A+:TDf4ocEpYi60gb7+
                                                                                                                                                                                                                                        MD5:B78CE612B7E92466B36CDFF4431AD1A6
                                                                                                                                                                                                                                        SHA1:9248C5EB01AAD3AD4C12677EAF1BC2E4126B9738
                                                                                                                                                                                                                                        SHA-256:23436583765A3180081E2C6B96B8F177799A7AC2B1ECBEA226BC96D2EB04D0B9
                                                                                                                                                                                                                                        SHA-512:7F25F3DDDCC9A2633C6DCECBE0BD83BE6CC6827C760666DF766FE5F87F506BED6C94E6A301E4BA49F603F6858CB2F5DA4FF758DCB82E5D1AF250E005DA3D48A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............(... ...@....... ...............................s....@.................................D(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................x(......H.......P ..<....................&......................................BSJB............v4.0.30319......l...|...#~......0...#Strings............#US.........#GUID...,.......#Blob......................3......................................z...............\.....0..... .....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673296258904213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Dh06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB57c:Dy9gpEpYi60Ae
                                                                                                                                                                                                                                        MD5:3A0946ABA4AA0B0B5778A250F6ED27AC
                                                                                                                                                                                                                                        SHA1:B970229FFA04428F6D60D1C9381ABF320D424D0A
                                                                                                                                                                                                                                        SHA-256:472BF1CC97392CC7F346C9F4324DD826C279C99CAB990119CC80DA3FBDDC2129
                                                                                                                                                                                                                                        SHA-512:33DE603317DF5ACB9CD1E7649B0834E8836DC208366E75133564280C18A17404A9F55FC8682319ACD94CA4C175F95D6F8F6C3F2330259B563526B594A4AEC17B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.812805534610478
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Jna8WK1WLfNyb8E9VF6IYijSJIVxY439G:Jna0ojEpYi60i
                                                                                                                                                                                                                                        MD5:D28FF1505221F33F58296E951C1789EB
                                                                                                                                                                                                                                        SHA1:E0FA2F18A762E06F7D64B4A9C512E37D9AEAB600
                                                                                                                                                                                                                                        SHA-256:53E0F85233A90E560E0B9C4DAEF8945A838505DF2CC3BB1A7EA36765BB698620
                                                                                                                                                                                                                                        SHA-512:5C40A5872BBEE334A140E8046BF089E21098DC06176EE594D023F8440AFE3CDA1778DA8BF4725D7C9F95BAAD52F8E2E74C3F74D07DFF58EBA238844FC96F8623
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............j*... ...@....... ....................................@..................................*..O....@..................((...`.......(............................................... ............... ..H............text...p.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................L*......H.......P ......................`(......................................BSJB............v4.0.30319......l...@...#~......0...#Strings............#US.........#GUID....... ...#Blob......................3................................................w.................!...........<.....Y.............................................................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.765085373011992
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:5BSWITWWSNyb8E9VF6IYijSJIVx3mR6ZX:56LyEpYi60WR2
                                                                                                                                                                                                                                        MD5:15C00D2B3289442A382E8E358EE92040
                                                                                                                                                                                                                                        SHA1:A218EB0F26AE8D22CF2DC42AB1DBBA7050E10703
                                                                                                                                                                                                                                        SHA-256:0CE8E3ED177E94382208B61D28BE3EB32269A3F208A1AD614A0AA37B9A8B5A63
                                                                                                                                                                                                                                        SHA-512:81E41383E3C2E250FAD471B1E4733BDF3378804C88BC0AFC239EF9D3FD129A76982BCE40B52DCD96371DCFE78E9CD5A6751BB00E70EDCBC4EDC0A7879FFA167A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..............*... ...@....... ..............................;.....@..................................)..O....@.. ...............((...`.......(............................................... ............... ..H............text...$.... ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...@...#~..........#Strings............#US.........#GUID...........#Blob......................3..................................................|.....|...S.i.........g.................f...........5.....~...........P.....9...................c.....c.....c...).c...1.c...9.c...A.c...I.c...Q.c...Y.c...a.c...i.c...q.c.......................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.872654686394797
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:G88cIIWNoWJiNyb8E9VF6IYijSJIVxJMuG0:G9cU7iEpYi60G0
                                                                                                                                                                                                                                        MD5:989839E4FF834AFA88C8A89D5C5B0A55
                                                                                                                                                                                                                                        SHA1:4DE5124ABAD5C0230A7D6E88822A4E28A90BA309
                                                                                                                                                                                                                                        SHA-256:1179CB6F638E6DAA670B75A82ACCEE65788969C6355C03D9DF708406269E7584
                                                                                                                                                                                                                                        SHA-512:A14463B212D223E7D987A3BDABDCB09DEF7AFCCD184F8D034B93DB52D913EB89541927CBDFB3BC0C558A731FC09C3DDE78B9991BEAEED468F8F6A52138FFE98F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0.............V)... ...@....... ...............................z....@..................................)..O....@..................((...`.......'............................................... ............... ..H............text...\.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................8)......H.......P ......................L'......................................BSJB............v4.0.30319......l.......#~.. .......#Strings............#US.........#GUID...........#Blob......................3..................................................*.....*...c.....J.....w.................v.....,.....E.................`.....I...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22568
                                                                                                                                                                                                                                        Entropy (8bit):6.620984449083178
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hkUwx9rm5go1fWKmmW4oqN5dWjaWbJNyb8E9VF6IYijSJIVxowXpaY1:QrmoFmWXX/NEpYi60bwY1
                                                                                                                                                                                                                                        MD5:2F2FFAB3A3B163FF7704A5766DA30D8F
                                                                                                                                                                                                                                        SHA1:A9A9779721AE2EAE2E26464518FCF618B2F52D30
                                                                                                                                                                                                                                        SHA-256:63BBF869A66DB2BA9507B435B2964CCD91BA713AF3C64E757C0C4E40A8B5606A
                                                                                                                                                                                                                                        SHA-512:D1CB33B4E9DCDFEFE6D10DF235E1D3082E58E9EF0A4E4EF337775636C050D14E97CA4F238E7D33D7FDD786057801679D0B03BB8E728CE97BE2725E80965334A7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..&...........E... ...`....... ...............................O....@.................................PE..O....`..x............0..((...........D............................................... ............... ..H............text....%... ...&.................. ..`.rsrc...x....`.......(..............@..@.reloc..............................@..B.................E......H........$...............A.......C......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2r/..p.(....*......(....*2(.....(....*^~....-.(.........~....*.0..........~..........(.........(....-Y..(!....{/......5..,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.674513594159353
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:509bOAghbsDCyVnVc3p/i2fBVlAO/BRU+psbC984vmJHrE1dtx66aI2sU52RWVss:wOAghbsDCyVnVc3p/i2fBVlAO/BRU+pm
                                                                                                                                                                                                                                        MD5:A6DD4492122C3B05E26841BF763D8CA8
                                                                                                                                                                                                                                        SHA1:4EE03E0DB9DE2179888F3ACF713E74DCF3501E29
                                                                                                                                                                                                                                        SHA-256:7AF874CFCD34E341458ACF7F7B2BE5A6EFD51CA4CF63136F64E608F04C1FD96B
                                                                                                                                                                                                                                        SHA-512:E139B82D73F09759E5B26088FBC22E58BAF5A70ABD63444CBFF152EB3F4A5720F108B84047F55D4756E822D4A2CC94B01D75540785AE7A108697FD0BE7F4D483
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............r5... ...@....... ..............................)<....@................................. 5..O....@..P............ ..((...`.......3............................................... ............... ..H............text...x.... ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B................T5......H.......P ......................h3......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3................................r.....................e...........4.................3.....L...................................R...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.833205974292201
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cmYx4AW6RW5wPSNyby2sE9jBF6IYiYF85S35IVnxGUHFt7kRF0IMT:c7W6RWmaNyb8E9VF6IYijSJIVxZ799T
                                                                                                                                                                                                                                        MD5:119FB494DE18C7851BE378596E0DB77C
                                                                                                                                                                                                                                        SHA1:0661625ACE5556827D8655DE364CC0B9249775C5
                                                                                                                                                                                                                                        SHA-256:71D4DD649DEED3D934F17215D1CD0D53D906E6500946C4A1C73E7A7F4F588EA7
                                                                                                                                                                                                                                        SHA-512:63DD9F9733D80D8F560CBE7CA577CCBB81EF14A33E54A39C61AC152F2BF22434D3D105C377E50A7002A58D9E00829F275452D56129401AC4B14C10E675CEBC75
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................}.....@.................................T(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..L....................&......................................BSJB............v4.0.30319......l.......#~......4...#Strings....(.......#US.,.......#GUID...<.......#Blob......................3......................................z...............\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.92349173979631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:eI5HeWFwTBsWWcNyb8E9VF6IYijSJIVxuKdCd8d:eI5HFwTBI8EpYi60lA8d
                                                                                                                                                                                                                                        MD5:E6B5F6440BC7D3CAE67E367AE3B3C0C6
                                                                                                                                                                                                                                        SHA1:E7AC1D39F72E44D31927F10717FD29D6DC442984
                                                                                                                                                                                                                                        SHA-256:FFC1B5DEEBA31D33130A2FFF846BB6A9C7B3C5D977CD30E04964F1D42DF77D10
                                                                                                                                                                                                                                        SHA-512:94B66BC2797DCF48E3DCA504B0AE76A11438826BFADCFFF20938FA52820DD1E97B767DB1C3D200E0B4CF57EC1FF776462B9F88A4AC8BF4377BD3FF0150A1799D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................|)..O....@..................((...`......D(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P ..t....................'......................................BSJB............v4.0.30319......l.......#~..H.......#Strings....@.......#US.D.......#GUID...T... ...#Blob......................3............................................................U.x...........................~.....4.....M.................h.....$...................r.....r.....r...).r...1.r...9.r...A.r...I.r...Q.r...Y.r...a.r...i.r...q.r.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.892290398632148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:uAJpVWbfkBnWRXNyb8E9VF6IYijSJIVxnBF5:uAJpWfkBAbEpYi60X5
                                                                                                                                                                                                                                        MD5:A1F1422C8B103D8B855DAE40D5E61142
                                                                                                                                                                                                                                        SHA1:349CDF5DB44F08A9C472F8B0923F4CA6019CA236
                                                                                                                                                                                                                                        SHA-256:0E49AF27963895F413C566C0D715F0B20B3D468FB4D914A1BE45D800720CDF34
                                                                                                                                                                                                                                        SHA-512:A2A36487BEA55EAE3D9A5E384E7DDD86AB5194BB0BA42F50C48B81C432795911B5DA7942EA5667AA313AD8D39C7F5219C8C78ED054AE8613F26B7DEFDE4DF1A4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............>)... ...@....... ...............................F....@..................................(..O....@..`...............((...`.......'............................................... ............... ..H............text...D.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................ )......H.......P ......................4'......................................BSJB............v4.0.30319......l.......#~..........#Strings............#US.........#GUID...........#Blob......................3......................................z...........@...\.@...0.-...`.....D.................C.................[.....x.....-.........................'.....'.....'...).'...1.'...9.'...A.'...I.'...Q.'...Y.'...a.'...i.'...q.'.......................#.....+.....3.....;.#...C.>...K.^...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):21032
                                                                                                                                                                                                                                        Entropy (8bit):6.539763813232213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:J8R71h7yzt94dHWFgQBVWeHWFyTBVW2dNyb8E9VF6IYijSJIVxRN3B:I1dyAqgQBfqyTBZZEpYi60t
                                                                                                                                                                                                                                        MD5:185DDF848D7943C866469B6C85BE168C
                                                                                                                                                                                                                                        SHA1:E14D1F4F7941BA3E575566CD8580E597D2A16376
                                                                                                                                                                                                                                        SHA-256:62D54C9CB394CA33A2E2AA4BFC5862AEB7C4F82208C307120D531C03CCF46903
                                                                                                                                                                                                                                        SHA-512:6A669F22D30C917091A70F3A93131BC3189EF0A3110489C139A750A9250C84D61938D14646F1A061CBF1E732F86480252C6F565D82D45B2DF8D63AABF1E8F7A6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............8... ...@....... ..............................k.....@..................................8..O....@..8............*..((...`.......7............................................... ............... ..H............text........ ...................... ..`.rsrc...8....@......................@..@.reloc.......`.......(..............@..B.................8......H.......|!..l............1..p...X7......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*......(....*..BSJB............v4.0.30319......l.......#~..h.......#Strings....\...4...#US.........#GUID...........#Blob...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18984
                                                                                                                                                                                                                                        Entropy (8bit):6.680630337143418
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:apsBljcZQIVI8CNwbcyMWs4oBOW9MWG4tBOWb8Nyb8E9VF6IYijSJIVxZ8orQv:AsPMQMI8COYyi4oBNw4tBrcEpYi60ov
                                                                                                                                                                                                                                        MD5:0179437AE44AC887A538F44BBBA85A1B
                                                                                                                                                                                                                                        SHA1:D6158F26235B0034E834832122D7A9709CE6D386
                                                                                                                                                                                                                                        SHA-256:129B421FFD25CCAB64E61CE490FCC4072DBE43BBC3743139E04B73B54A91BDB4
                                                                                                                                                                                                                                        SHA-512:5C6D797C7C8E58AE73A4533D24D2A94714FC7FB1C318A5C1C9DE286D1582E9302440E1B193F6E04C3AD1AB606760A49E51534828CA19D8C4718A6555AE17B4A2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............3... ...@....... ..............................;W....@..................................3..O....@..............."..((...`.......2............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`....... ..............@..B.................3......H........!..0...................L2.......................................s....*..s....*..0...........o....u......,..o....*.*.0..%........s..........(....r...p.$o......o....*:.(......}....*..{....*.(....z.(....z6.{.....o....*:.{......o....*.(....z:.{......o....*.(....z.(....z.BSJB............v4.0.30319......l.......#~.. .......#Strings....$...0...#US.T.......#GUID...d.......#Blob...........W..........3............................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23592
                                                                                                                                                                                                                                        Entropy (8bit):6.3177610625281115
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:IbhigwLAuZtM66g/Id7WVXWgvNyb8E9VF6IYijSJIVxdTR1g2r:IbhzkKs9TEpYi60h
                                                                                                                                                                                                                                        MD5:E6639AE075EDD94FA2BC128A56EBB468
                                                                                                                                                                                                                                        SHA1:021D0245A9D83F662DC3C176BD9281FC7C78CF25
                                                                                                                                                                                                                                        SHA-256:C942ADFA7FA4F9C1B4F167EB28B153DF6A21B638915A04E1BA62E61B1F356AFA
                                                                                                                                                                                                                                        SHA-512:9EB9236557EA8E495DFC87C4DD5E511448F3916994C5943ED684EAC2C74FDB379078776DED8FD0E5FAD89442F8ECE712DC6DE7BA2AF9E1DF6D011319225FA3DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...A..Y.........." ..0..*.........."H... ...`....... ...............................O....@..................................G..O....`...............4..((...........F............................................... ............... ..H............text...((... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................H......H.......P ...%...................F......................................BSJB............v4.0.30319......l.......#~..........#Strings.....#......#US..#......#GUID....#......#Blob......................3................................................_.........................8.....8...*.8.....8.....8.....8.....8.....8.........*.8.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.+...K.K...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.864608994529631
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:2UcX6W9aWTmNyb8E9VF6IYijSJIVx7y5zT:2UchXuEpYi60k
                                                                                                                                                                                                                                        MD5:FA52AE24F562E0519560C9EDE6F659A0
                                                                                                                                                                                                                                        SHA1:9DB85E79679EEE39276D1DD714127894DF4335EB
                                                                                                                                                                                                                                        SHA-256:66C1AB079D2735A8FD178EF2D36F0627E8A33AF362EB0054D7111F25BF4E7D49
                                                                                                                                                                                                                                        SHA-512:ED4FBFCAA82BF7A9B887B5727179DED5D521E25DEBAB5C8D0BE2D484775D4B2FC6262ABA102DE9A7A4D1590ECFB6AF4E0E3D15776EE66C3EE8AEFACB7A334E33
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............B)... ...@....... ...................................@..................................(..O....@..................((...`.......'............................................... ............... ..H............text...H.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................$)......H.......P ......................8'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....(.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41000
                                                                                                                                                                                                                                        Entropy (8bit):5.952017062241917
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:CoBj7kS+8mjvHTeaWKs0Sd4eeUAEpYi60vu:xPmb9WKs0PeeUJ76Yu
                                                                                                                                                                                                                                        MD5:76CC6A639A50E0F1E1C8B2638125A2C6
                                                                                                                                                                                                                                        SHA1:294DA051988C4F0E6C94BA71C67062E11602F411
                                                                                                                                                                                                                                        SHA-256:381CE849AAA4ABD28C4BFAD14349E602BAE571898FED928153607D0068ADC5F5
                                                                                                                                                                                                                                        SHA-512:8CB21F14E59BC2928F77152564ACA3599C0FB64909075559B44E6EF2DDC83EF1BFF68FC4B35218EC4BF79DBB5F0DC4401F24EC281E280C5BFA21DACCC216DEFF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..h.............. ........... ..............................7.....@.................................u...O.......8............x..((........................................................... ............... ..H............text....f... ...h.................. ..`.rsrc...8............j..............@..@.reloc...............v..............@..B........................H.......P'..\8..........._...%..,.......................................j~....%-.&(F...s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rI..p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r...p.(....*2r9..p.(....*2rm..p.(....*2r...p.(....*2r...p.(....*2r=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8957951336831576
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:8TI2pWPzWmWeNyb8E9VF6IYijSJIVxWxypH1aw:8E3bnEpYi60pph
                                                                                                                                                                                                                                        MD5:152D8A8529BB53E40562AA32BD1455EB
                                                                                                                                                                                                                                        SHA1:5915551044C314BD2BD66C23FBA86BB44227D0CD
                                                                                                                                                                                                                                        SHA-256:30C7A9ED18CFEDB8F27BB46CC4CD4B586A58BCF0AB4AC0A6D103856508ED8207
                                                                                                                                                                                                                                        SHA-512:F5A0D14D2C9B059FF56C0DE679ECECD9C3A1AF1E39057A58E590B142372344C5BD4AE594D2D76E9080FDC5814601C926665CA5B344578CB1EBBFDA8D30E396E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............^)... ...@....... ....................................@..................................)..O....@..`...............((...`.......'............................................... ............... ..H............text...d.... ...................... ..`.rsrc...`....@......................@..@.reloc.......`......................@..B................@)......H.......P ......................T'......................................BSJB............v4.0.30319......l.......#~..,.......#Strings............#US.........#GUID...........#Blob......................3......................................z...........A...\.A...0.....a.....D.................C.................[.....x.....-.........................(.....(.....(...).(...1.(...9.(...A.(...I.(...Q.(...Y.(...a.(...i.(...q.(.......................#.....+.....3.....;."...C.=...K.]...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.910295083255079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:lcezoy4W04WGINyb8E9VF6IYijSJIVxmZqa:lBzoy+kgEpYi60u
                                                                                                                                                                                                                                        MD5:788EEDD2BCADB4BA00C308E7D4A6D112
                                                                                                                                                                                                                                        SHA1:03E7742F956979399110C3033461D3E72904B29D
                                                                                                                                                                                                                                        SHA-256:FB80AA162FB7F3366D60FB2DC51B56A17155182B90809995E77ACA2AFE2D15F7
                                                                                                                                                                                                                                        SHA-512:25E8E352C381FE5B329CE27C02A69663C980AADFDD6C8FD5251AB5912AE63DB90D34ADD98E172A39E1E8BAC365717079F8505FDF93BCA05371682B8FB1E4D871
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............~)... ...@....... ..............................m.....@.................................,)..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................`)......H.......P ..$...................t'......................................BSJB............v4.0.30319......l.......#~..<.......#Strings............#US.........#GUID....... ...#Blob......................3..................................................f...o.f...C.S.........W.................V...........%.....n...........@.....)...................M.....M.....M...).M...1.M...9.M...A.M...I.M...Q.M...Y.M...a.M...i.M...q.M.......................#.....+.....3.....;.'...C.B...K.b...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.79546328311258
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:cUgHWexY+WKpW5FPYNyby2sE9jBF6IYiYF85S35IVnxGUHFjekhqHbA:MH/JWKpWDQNyb8E9VF6IYijSJIVxXeHU
                                                                                                                                                                                                                                        MD5:A25577998978B87CC8D443110AB27B5E
                                                                                                                                                                                                                                        SHA1:55A2FC5DE2790AE7B7414D9193D4B10A64244658
                                                                                                                                                                                                                                        SHA-256:762B44EBE2E5FB61CF29F387D7BEE17A1550802EBA7AD153AD142FBC2EDE89D7
                                                                                                                                                                                                                                        SHA-512:77D4ED6105A65585E793CC6E4541A874DC1B269EFED8A4851AA8CD6025337C88FB726549CDB3067DAA5A0C920DBC616B7CF0E083EF184B52361C4A8D567EC2EF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0............."*... ...@....... ...............................?....@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...(.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l...$...#~..........#Strings............#US.........#GUID....... ...#Blob......................3............................................................o.s...........D.....D.....D.....D...8.D...Q.D.....D.....D...l.....U.D.................m.....m.....m...).m...1.m...9.m...A.m...I.m...Q.m...Y.m...a.m...i.m...q.m.......................#.....+.....3.....;.)...C.D...K.d...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.7447495341904595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qTjbocNsWMhWqiNyb8E9VF6IYijSJIVxtLyoWK:6boYyFiEpYi60tFn
                                                                                                                                                                                                                                        MD5:54468FADBEC6DBA182D2C39AE9CB497B
                                                                                                                                                                                                                                        SHA1:521A56DCBE7D3178BF62616A9EFE3D6626059F70
                                                                                                                                                                                                                                        SHA-256:59567BC0FD8A4872FAC5A214CD853F019149A89097EDDC41FCD70AF2CC6993B8
                                                                                                                                                                                                                                        SHA-512:90FAAC13B9102021EC79A9AB4F20C423E1B4D2262572CC3707F5EE55C394A65205C808FCFB52AF4D86677BB5E93B198E4DBC12CB22AD4EC3DF5FB275ACAB57C1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.................. ...@....... ..............................y.....@..................................-..O....@..................((...`.......,............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H.......P .......................,......................................BSJB............v4.0.30319......l.......#~......|...#Strings....x.......#US.|.......#GUID.......(...#Blob......................3................................'.....).........u.................=......."...:."...W.".....".....".....".....".....".....[.....".................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;./...C.J...K.j...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.844665709244569
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4SKiWIhWG3Nyb8E9VF6IYijSJIVxLp8V9:4SK8l7EpYi609I
                                                                                                                                                                                                                                        MD5:E34063501621BD77546941CDB2B5C1F2
                                                                                                                                                                                                                                        SHA1:B7AA35806E1C69556AECFC351AA7A3D6C1585402
                                                                                                                                                                                                                                        SHA-256:4DE4CF5C699EF43CC37E53A66E86B771DE7BC7029179173EDC28EA58BD11B8B8
                                                                                                                                                                                                                                        SHA-512:DF03F08E92D2E0FD5B6CBAA62050A918EA01BA2011DBDDE1D5B7DEC0EED04CB95570A4BBE0C1D45E8CF4AEBC38D287010FF76BD63B7C1209A51D8FD7E3307497
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................]V....@.................................t(..O....@.. ...............((...`......<'............................................... ............... ..H............text........ ...................... ..`.rsrc... ....@......................@..@.reloc.......`......................@..B.................(......H.......P ..l....................&......................................BSJB............v4.0.30319......l.......#~......@...#Strings....D.......#US.H.......#GUID...X.......#Blob......................3......................................................\.....0.....'.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.6...K.V...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.785674552898244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/0KbZWApWmWTpWSDNyb8E9VF6IYijSJIVxkp8lkBU5:sKRyhfEpYi603L5
                                                                                                                                                                                                                                        MD5:318C94B42D32AF384E8A32B518002E7F
                                                                                                                                                                                                                                        SHA1:084BFDD4A02F365B305241ED4C0A458940BADB70
                                                                                                                                                                                                                                        SHA-256:C5D36F0A84164B0ED3B7F6B2906F6A58D610A3AD6EDF3ABC288338A8625931B5
                                                                                                                                                                                                                                        SHA-512:C03AA9CD8171822971CCADFE1AAE2D07B3FD9749C3D147A66276C783BC708148D51B2DB6ED644DCE8490D144B339D6587B72A540D1702D3FF754EAAA08B735A3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............)... ...@....... ....................................@.................................>)..O....@..................((...`.......(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................r)......H.......p .......................(........................................(....*..(....*..(....*..(....*BSJB............v4.0.30319......l.......#~..........#Strings....`.......#US.h.......#GUID...x...(...#Blob...........G..........3.............................................."...........C...........u...............m.b...........J.....J.....J.....J...6.J...O.J.....J.....J...j.C...S.J.............................P ............X ............` ......4.....h ....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.874692610973363
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:qb1nWCXWr7Nyb8E9VF6IYijSJIVxnY3An:U7yXEpYi60j
                                                                                                                                                                                                                                        MD5:A972AE027F809D65147B5E5CCE0CC799
                                                                                                                                                                                                                                        SHA1:BD46B74E9CEF9A424F6915505CBD2B1011131ACA
                                                                                                                                                                                                                                        SHA-256:C57017889813A1732C512CC5988EFD08746CB02471C8B19C3DF3A163D7AF909B
                                                                                                                                                                                                                                        SHA-512:F46960DEF427278CFEABA9B32F58BEA4ACA024BBF0D6641A24FE3FA84CBC8FA7DDB8D5B1776B18EAA5EFCDEC5CEB6551F3200BD8B202C7302A938E95B07F780F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................2.....@..................................(..O....@..T...............((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc...T....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~.. ...t...#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0.....6.....D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.777125012846138
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:HLyW7TWyDNyb8E9VF6IYijSJIVxRr9nw4:rfPfEpYi60D
                                                                                                                                                                                                                                        MD5:DAA6187A2ED4605964108B9ECED1CDEA
                                                                                                                                                                                                                                        SHA1:52D53C523EE8331D6AED99475290F979513A54FA
                                                                                                                                                                                                                                        SHA-256:1349E02D55471E06C4936425055BD61880773A861AFDD2E7421D4755BEA62841
                                                                                                                                                                                                                                        SHA-512:07F284D4A7941673D5F5D8436D2125EAA4DF6CD8605B26F32F6E90F4C35CCD07A2100E640E4A7414741F8DED3396C31F1FDDC75759A6AB3708EE59DDF1769530
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0.............2*... ...@....... ....................................@..................................)..O....@..................((...`.......(............................................... ............... ..H............text...8.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ......................((......................................BSJB............v4.0.30319......l...0...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................................\.....0...........D.7.....7.....7...C.7.....7.....7...[.7...x.7...-.0.....7.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.906192008068945
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:a6Rb32WVzWwtNyb8E9VF6IYijSJIVx00yf8yVo:1Rb3dtJEpYi60Sf8n
                                                                                                                                                                                                                                        MD5:1DD9B77627E1DCD7B80AEB2EE27A606B
                                                                                                                                                                                                                                        SHA1:395F4961394959DA52FAE061368C44A8BCF9A312
                                                                                                                                                                                                                                        SHA-256:AB1CFF60B51761E37309A63B1F57AC9B8A588F8427867523488642A8C97320A9
                                                                                                                                                                                                                                        SHA-512:0BC71EA7FB83C155D4F17E6538A7042AD804E362EBBDDE89934F5264B7A56FD2C2191603D6A1130F70D607489F5C3C3F16FCE3D5689C020902F35CEA703F8E8C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ....................................@.................................t)..O....@..P...............((...`......<(............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................)......H.......P ..l....................'......................................BSJB............v4.0.30319......l.......#~..........#Strings....@.......#US.D.......#GUID...T.......#Blob......................3..................................................K...d.K...8.8...k.....L.................K.................c...........5.........................2.....2.....2...).2...1.2...9.2...A.2...I.2...Q.2...Y.2...a.2...i.2...q.2.......................#.....+.....3.....;. ...C.;...K.[...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):31784
                                                                                                                                                                                                                                        Entropy (8bit):6.537237080993636
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:Bu5I+sqOylryry8qqIfUc7a5eMEpYi60mn:BYIVBpry8qqIfUcm5eF76Nn
                                                                                                                                                                                                                                        MD5:78E831E0FDCBBD349EB80E7A717FF355
                                                                                                                                                                                                                                        SHA1:32F3B7DF1D94BC98D62DA15944F477863AD6BF0F
                                                                                                                                                                                                                                        SHA-256:338B234FCDBAE4D7E19DC237DA559AFDE50D21A81192C0AFACDF2AD055BFF8FF
                                                                                                                                                                                                                                        SHA-512:136DD7189F40A4C67629C2D45BF80F611C63BE6AF586AB8975DD627729A935CEF0EC31193585436677C5DF34E28BFFF0691D4682439612431A603B4A0183E0AA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..F...........d... ........... ....................................@..................................c..O.......x............T..((...........c............................................... ............... ..H............text....D... ...F.................. ..`.rsrc...x............H..............@..@.reloc...............R..............@..B.................c......H........&...7...........^.......b......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*2r...p.(....*2rK..p.(....*2ry..p.(....*2r...p.(....*2r...p.(....*2rc..p.(....*......(....*..0..;........|....(......./......(....o....s

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.876786974883989
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ovn4HREpWiQWtIANyb8E9VF6IYijSJIVxeWDdL7TD0:BS/I4EpYi60nk
                                                                                                                                                                                                                                        MD5:352884106780AA616929ED1AD0577C31
                                                                                                                                                                                                                                        SHA1:AF6D887BBB0C92D35ED59F3777C0D2583E75062C
                                                                                                                                                                                                                                        SHA-256:4B6A835E273EFC191EB1C0A55DF63409EA281D035FECEF02622F92363BE940C1
                                                                                                                                                                                                                                        SHA-512:CFB65C378EFC302E37A2AD2AFA6B8DC9DCAF7E39EA2994022DDEFEB86F575D05CC29F02B991E3F123B1933DA6CFFEFE86117F03AEAEBEAC015237B68D60CA9D3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................7.....@..................................(..O....@..P...............((...`......x'............................................... ............... ..H............text........ ...................... ..`.rsrc...P....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......l...#Strings....|.......#US.........#GUID...........#Blob......................3......................................................n.....B.....".....V.................U...........$.....m...........?.....(...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.!...C.<...K.\...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.77027842758303
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:78MjKb47T3UCcqFMkJ59WdtWcnNyb8E9VF6IYijSJIVxoQO:gMjKb4vcGdO7LEpYi60+
                                                                                                                                                                                                                                        MD5:BB0B262A1E19497B8617D5C54CA274D7
                                                                                                                                                                                                                                        SHA1:B079BAAACFD3CA4236A567F1095AE6D642885BE9
                                                                                                                                                                                                                                        SHA-256:BB2FD944A31A8D2D3C8D0234F59D8167C4455C0B3C130019C45BAD8CD1F66C74
                                                                                                                                                                                                                                        SHA-512:FD0CD25A69805E12BD44914711BA12416C36A661732973131C8FB394FE15DEAC2F80EE10F3467D03C08B306CC55B9FFA39AEC741580144DE51B111CFBBA0C029
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................ZZ....@.................................`,..O....@..................((...`......(+............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................,......H.......P ..X....................*......................................BSJB............v4.0.30319......l...<...#~..........#Strings....4.......#US.8.......#GUID...H.......#Blob......................3................................!.....O.......................................].....z.............................7.......j...........n...........................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.8552515980726705
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:OzyNXd4+BW6FWqkNyb8E9VF6IYijSJIVxDYheFI/:3ztEEpYi60cQI/
                                                                                                                                                                                                                                        MD5:5888BA6BDDA6697B8F718C2DA08893A0
                                                                                                                                                                                                                                        SHA1:3F1168B27ACA1B65B28AE808C24DC4A0CE410B2B
                                                                                                                                                                                                                                        SHA-256:4091E50AF61775BC11F9E2FB4D6C2C282DD3A2267CFA9109F00A14C8755C5CF4
                                                                                                                                                                                                                                        SHA-512:6B37D628EDC968054AC44585AD7879EC45DE6D68BD62C88DCEF0FE48972CD1121F4311726D3C022C71DDB413563979913A40E652AED467A0050796EC01244F56
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ..............................\.....@..................................(..O....@..................((...`.......'............................................... ............... ..H............text... .... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P .......................'......................................BSJB............v4.0.30319......l.......#~..,...p...#Strings............#US.........#GUID...........#Blob......................3..................................................'.....'...T.....G.....h.................g...........6.................Q.....:...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.862846916378626
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:zvs2Q3HKJNrWWRWfUANyb8E9VF6IYijSJIVxm8MHN:zuM0xEpYi60PGN
                                                                                                                                                                                                                                        MD5:140000726444F6AF5359A562BDB552BB
                                                                                                                                                                                                                                        SHA1:7C8EFA451F889F1B104AABDF9E8E30D59CA9F379
                                                                                                                                                                                                                                        SHA-256:07D6A00E63F24C3AD8E8B5A620E4BCCCF5A64B25C5A53C3140253F776F4E0A4A
                                                                                                                                                                                                                                        SHA-512:841C0185C12BE5D6A49EC2362439FE9605AB53914C096423FAD34E48783010AA62FC71060D904A506792E6F9E83F6084C065C7807F874245DF0D8348840F0B4B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ....................................@..................................(..O....@..4...............((...`......h'............................................... ............... ..H............text........ ...................... ..`.rsrc...4....@......................@..@.reloc.......`......................@..B.................(......H.......P .......................&......................................BSJB............v4.0.30319......l.......#~......`...#Strings....p.......#US.t.......#GUID...........#Blob......................3................................................../...q./...E.....O.....Y.................X...........'.....p...........B.....+...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.8...K.X...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Timer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.829096685601233
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:mFz0Q6gcqRhcsMWdMW+kNyb8E9VF6IYijSJIVx9JtOZ/R:mFz1c60EEpYi60LqR
                                                                                                                                                                                                                                        MD5:3B8709DB32BE67BCD75859A4CC55D3AB
                                                                                                                                                                                                                                        SHA1:56EAF23919EB9370032A246A74E9669740E64691
                                                                                                                                                                                                                                        SHA-256:977FD5826719F24285FADC540C0F7B74053E7B9B724D160BF884681DC85077CF
                                                                                                                                                                                                                                        SHA-512:4AEFC904647119CFE002CE787DF5463816ABA97BEA8548F10ACB7DEE8D69CBDDF2FD252C44C491AAAE40404B611D262B14D42B3A6BAB36AC47C2FC67FC7DD8B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............(... ...@....... ..............................N.....@.................................L(..O....@..................((...`.......'............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................(......H.......P ..D....................&......................................BSJB............v4.0.30319......l.......#~......,...#Strings.... .......#US.$.......#GUID...4.......#Blob......................3......................................................\.....0...........D.................C.................[.....x.....-.........................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.725331273299116
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:r6xWA3W4aW/NWQvNyb8E9VF6IYijSJIVxIJZGV:raB/TEpYi609
                                                                                                                                                                                                                                        MD5:53092591BE1262409A40F8FA5C0C2B09
                                                                                                                                                                                                                                        SHA1:A4E823FC42B13218AB9B1EE75502833ACAE32DB7
                                                                                                                                                                                                                                        SHA-256:F5E828D4DD748A67D2B1E18E69BA3EC9D26070C5ACB1B57D9A70D535AD038735
                                                                                                                                                                                                                                        SHA-512:34BA74A4991FCBB2A711921012DE590B50CD347A79E0ADAB4C6B4A63C72FDBAD783BA582D70A0B4C2C7044AF04BF658657BB744865D8BB32E6454E805703786B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............,... ...@....... ..............................l.....@..................................+..O....@..................((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P .......................*......................................BSJB............v4.0.30319......l... ...#~..........#Strings............#US.........#GUID...........#Blob......................3......................................-.........O.k.....k.....X.....................1...........o.........................B...........9...........J.....J.....J...).J...1.J...9.J...A.J...I.J...Q.J...Y.J...a.J...i.J...q.J.......................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73256
                                                                                                                                                                                                                                        Entropy (8bit):5.9528236640882195
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:X784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAsk76nRf:X7N1r9KGI04CCAskwRf
                                                                                                                                                                                                                                        MD5:29A6127FCF6139A25AF8693179D46AED
                                                                                                                                                                                                                                        SHA1:6165AAB80873FD7C46F04023D10801C7D736A21A
                                                                                                                                                                                                                                        SHA-256:F7FF2F322A27C3832B25EDDEEAA2DC54CB466D1F53C598C1295D6D9B6283A796
                                                                                                                                                                                                                                        SHA-512:A4201388AFD38FDD392D64422EDAB439884A163B663A83053B2F46C7330682742B9650EC5337A43547BD681EEE6E4CF5BD89D6E3A3F889DC0A24F5B2B3694D9D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......$....@.....................................O.... ..P...............((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.854768377208066
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3r97WquW6/Nyb8E9VF6IYijSJIVxkp9VUc6K:3RJKDEpYi60elB
                                                                                                                                                                                                                                        MD5:60882D71149BBE641AE5BA05E8B60BEC
                                                                                                                                                                                                                                        SHA1:08A84CD2C479BA1877D74E628DE4545B33C61CB0
                                                                                                                                                                                                                                        SHA-256:BC2E11F2DB69BE3F3556AA6A59E5E31A9E970E464DE51626BDE6A5DED469A0EF
                                                                                                                                                                                                                                        SHA-512:6035F1AA55C8B2B286D12E457B7324D4C90B0BC3F863C86B5B7476A50324552A2D2099D6EAFC54D346C17CC9B04B6DB52634F7A3FC185B2FF4F5074E99915FB1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............+... ...@....... ...............................h....@.................................\+..O....@..................((...`......$*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................+......H.......P ..T....................)......................................BSJB............v4.0.30319......l.......#~..T.......#Strings....0.......#US.4.......#GUID...D.......#Blob......................3......................................z...........j.....j.....W...............B.....z.............................................................Q.....Q.....Q...).Q...1.Q...9.Q...A.Q...I.Q...Q.Q...Y.Q...a.Q...i.Q...q.Q.......................#.....+.....3.....;.....C.4...K.T...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.792441439661817
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:316eWLDWGoNyb8E9VF6IYijSJIVx4OtciP:l6LbAEpYi60r5P
                                                                                                                                                                                                                                        MD5:2F9706BC54DC610C8047C5187F26FBD6
                                                                                                                                                                                                                                        SHA1:2CFF1A2D481B8F191BA651ECF4D1583FF707C428
                                                                                                                                                                                                                                        SHA-256:CADF8DBBDDEDE96C06C47817B98A834119D4C831295B0FFF48708F1B70DBBCDD
                                                                                                                                                                                                                                        SHA-512:E95A6A7020D43BF41498C565C47DED8D057C7106DE50506D51E9F6A09F6AF2F5D306B71D778AC7F52CAA01CFD2A9F1A1467A8A061A36CB8A01E23E266B1FC73E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............*... ...@....... ...............................l....@.................................|*..O....@..................((...`......D)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P ..t....................(......................................BSJB............v4.0.30319......l.......#~......8...#Strings....T.......#US.X.......#GUID...h.......#Blob......................3..................................................z.....z...u.g.................................>.....W.................r.....[...................a.....a.....a...).a...1.a...9.a...A.a...I.a...Q.a...Y.a...a.a...i.a...q.a.......................#.....+.....3.....;.....C.1...K.Q...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16936
                                                                                                                                                                                                                                        Entropy (8bit):6.786390980413795
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:O8G4YC2W+wW8WpwWU4Nyb8E9VF6IYijSJIVxPFD:BGZ5OwEpYi60V
                                                                                                                                                                                                                                        MD5:3C9610222E9B847F102AB330F085ECBC
                                                                                                                                                                                                                                        SHA1:9DA03826DEF2D8F7F8EE1A4FA16A4D8A0CC1493D
                                                                                                                                                                                                                                        SHA-256:A081FCE69771198389D32AAC400D6567654815595F836395EBEE17377661470D
                                                                                                                                                                                                                                        SHA-512:2C1D103B3E6D5DBEF62CF2C8156B8B45136CE572FEDAFE03A3178C02EAFEC524D275766E2C1823CAE95BFDD08D8CCC76954450CE58F13D444E7A35B686C1120C
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......Z.........." ..0..............+... ...@....... ...............................w....@.................................z+..O....@..x...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...x....@......................@..@.reloc.......`......................@..B.................+......H.......t ......................P*........................................s....*:.(......}....*2.{....(....*BSJB............v4.0.30319......l.......#~..0.......#Strings............#US.........#GUID...........#Blob...........WW.........3..............................................................L.........4.H...}.H...u.v...........;...........;...=.;.................../.%...........P.....m.....................................v...S.......v...d.v...........v...m...............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15400
                                                                                                                                                                                                                                        Entropy (8bit):6.898555778840737
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:M6ziqTEkGWvRWH1Nyb8E9VF6IYijSJIVxKPgdo8sq:MYT1cREpYi600T8T
                                                                                                                                                                                                                                        MD5:B6D36F988DE6DD6209F22AF582B4E939
                                                                                                                                                                                                                                        SHA1:CB28B1A9813DE047E691679820630E27FF0C939D
                                                                                                                                                                                                                                        SHA-256:5685B6F7A4B5D64DE5A9E9F05D56BA5B577882E87125A64B9246DC8F5D0011BF
                                                                                                                                                                                                                                        SHA-512:C867B99984CBCCB31F3D9BAEA8D2079C202FC7E54E224A44895CC4E00D80DBC433EF1B0A1CAFB7E00B3B926E601EB051C11588C05C40AF6AA396F000EA6EBE4E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B..Y.........." ..0..............)... ...@....... ...............................S....@..................................)..O....@..................((...`......d(............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................)......H.......P .......................'......................................BSJB............v4.0.30319......l...0...#~..........#Strings....x.......#US.|.......#GUID...........#Blob......................3................................................'...........~...................................G.....`.................{.....d...................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.-...K.M...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.808946442672549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:9Uv7c7iWNCWq0Nyb8E9VF6IYijSJIVxILAkdT:9M7c1m0EpYi600zl
                                                                                                                                                                                                                                        MD5:1F659D5017DAFFA15E3672898335F7C1
                                                                                                                                                                                                                                        SHA1:36359E0EA40902900A2540126FB35BF8D4A9F963
                                                                                                                                                                                                                                        SHA-256:DC731D628134FB040EE094E75A0CD8F2D5FE8C211A7A468635DE20A7297C7FC5
                                                                                                                                                                                                                                        SHA-512:B5FF6AD7DD57CBD20F51D0D159971E09A1A3781E3CA477355252BBFB695D5118C7423E719426BF68AB4C06E97C8E1AF5BF9A992C03535C78E72C6596A4CFD862
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............*... ...@....... ..............................*.....@..................................*..O....@..................((...`......`)............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................*......H.......P .......................(......................................BSJB............v4.0.30319......l.......#~......l...#Strings....l.......#US.p.......#GUID...........#Blob......................3................................................4...........~.............H.....H.....H.....H...T.H...m.H.....H.....H.........d.H.................................).....1.....9.....A.....I.....Q.....Y.....a.....i.....q.........................#.....+.....3.....;.....C.3...K.S...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):15912
                                                                                                                                                                                                                                        Entropy (8bit):6.852070312826578
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:T+vxmNWnRW5TPMNyby2sE9jBF6IYiYF85S35IVnxGUHF8C8nz6Ub:iSWnRWJ0Nyb8E9VF6IYijSJIVxI3Bb
                                                                                                                                                                                                                                        MD5:8618BC9691BDBD9CED63DDC44F752CA1
                                                                                                                                                                                                                                        SHA1:1C6931790DE77D4D7D2C632DB16A7A4D9AF3C06B
                                                                                                                                                                                                                                        SHA-256:F6241E4B1496804B81B5FF21DE6B73B660858D226BEE8A38BFAA24D4706F1584
                                                                                                                                                                                                                                        SHA-512:C73739A1CE07F56BB9106C5B528FA22ED57C92BCA1442D1D2E12F60D77024EE851229F9E1048B29F3764A5881C002463C9F06F03DCDA3301E5BD6265464F721F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...C..Y.........." ..0..............+... ...@....... ..............................V.....@.................................L+..O....@..$...............((...`.......*............................................... ............... ..H............text........ ...................... ..`.rsrc...$....@......................@..@.reloc.......`......................@..B.................+......H.......P ..D....................)......................................BSJB............v4.0.30319......l.......#~..........#Strings.... .......#US.$.......#GUID...4.......#Blob......................3..................................................k.....k...U.@.........i.....=.........................................&.....'...................:.....:.....:...).:...1.:...9.:...A.:...I.:...Q.:...Y.:...a.:...i.:...q.:.......................#.....+.....3.....;.....C.5...K.U...S.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.051173259749314
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cXgKIgKcgKRQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:c5kIRVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:0D44EBBF2D029DAD6AFF0ED18803801F
                                                                                                                                                                                                                                        SHA1:F8DDD2B7D0B9CDF0DA2158F633929626FA51AD98
                                                                                                                                                                                                                                        SHA-256:76E455E57DBC8115C931E43E3218C374257D4CCD118765F3F23AC6FEBCAC9E71
                                                                                                                                                                                                                                        SHA-512:6B7C292CD2F769927D5DC6D58897844524063925E2C2D7E84147C34D1E137D0DA2A0705232D70C8977D4AECB127DCA4F2D681A10B304C59BCA786B7F7BF6E49F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 04:32:22.2466|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 04:33:45.5654|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 04:35:46.4051|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 04:36:54.8645|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):92712
                                                                                                                                                                                                                                        Entropy (8bit):5.48308029356687
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:I2Ec05j4eAH64rh5fSt5T9nFcI94WYG76v:vlK4eA7mDmWYG4
                                                                                                                                                                                                                                        MD5:FAB1E6796418DA835C861AF332271C10
                                                                                                                                                                                                                                        SHA1:5FFB9F430BE3A9AE1D32A7BBDF592771E093846B
                                                                                                                                                                                                                                        SHA-256:A99C68919595987F3982E5BD87DA9E1D3ADA2A5CF83902DF5F74F84BA77560B7
                                                                                                                                                                                                                                        SHA-512:911CF5698BF7F806BB8E6EBB3990DC87A19CAC07E85EEC65611616049BDFA36978F142FDD24E97697180F8A4451E356C4B5A7EE4A1439B9AEB62BC2D0F8539D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...M..Z.........." ..0..8...........U... ...`....... ....................................@..................................U..O....`..,............B..((........................................................... ............... ..H............text....6... ...8.................. ..`.rsrc...,....`.......:..............@..@.reloc...............@..............@..B.................U......H.......P ...4..................,U......................................BSJB............v4.0.30319......l...|...#~.....d...#Strings....L3......#US.T3......#GUID...d3..x...#Blob......................3................................q.....2B........e$.M...,.M.....M...4.M...1.M...1.M..v..M...*.M...*.M....p...........................!.....).....1.....9.....A.....I.................................#.......+.......3.......;.J.....C.f.....K.f...................2.....................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3024920
                                                                                                                                                                                                                                        Entropy (8bit):7.999909909636524
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:49152:qG/9p6ArK5mD89x/+gHaCubtJBePavnuS19BExgDGgkzEehiIVaiklpCWbjuHtpd:T/v6nFK5mLgkzZklfwpBRx
                                                                                                                                                                                                                                        MD5:A5CAA530EBA72B9C022A020CDBD9B747
                                                                                                                                                                                                                                        SHA1:7779AF820714DB278B4740D923885E17E143CC54
                                                                                                                                                                                                                                        SHA-256:AA7875B380B832872830A07BC0AFEF4D2C67E3D3159BAAED0B1AF113726354EF
                                                                                                                                                                                                                                        SHA-512:A4FB9A950753010B28D86F63601A711192C9D34475E44860CFC6A5142E13183786C5635F6E0F7DCBE01A9DE8D2D6FE368B2F5A3DB72149EF18CDBC78048EF59A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-........YI|.Z........?...AgentPackageProgramManagement/AgentPackageProgramManagement.exe....(.......wo.......I2...3=...nI......r/?.y?_5.8..YxR.k..?9..%F{'...U5Q...h.&J8....O..%1.C.....]`..^`.a.:.....u:......]..R4..wAR.,.U..8..m.yC...{F%...(..6...qq...E..U..4.a@x.......\.c. ...h..R2....z.s[[4.H...%]. .....g..&...v$y....M.b...|..t..&.3.r..5.,U.VXi..r...vI..#..rhF...x=i..0V..#u.9.:@...S.-...t..AK.m.$.tzh...-$.....mU.s....w.=...o1v3...@aG......j;....*).~....e....cr...]7X......{A..2V.{..@.!..p..V@h.FR...H".....'q.B.z.J...C..mo...."..W..h.B..X.4!....A......E.......V|.o{.G>...w.V.F...e..Q.S...1.j..jG...N`.>b....kkd}%.?.q....n.l.c.|%@.*... rz.C........F....KY.?.h).+s..J..\q.4.2.!-.;.7]......B..6.j.E...S"..|..."F.tRQA........v[...e....r..........lpk.W_.j.......5x.KG.0.......G@r.x.~H...y.d.w>.5m.EP..J..J...@1..T._Z....:.."3L.N/.......nF.;.R.$..g....6}X...PP.k..p....i......./......y....-dv......>w..9..|.EM..:.i....u.G."..&.$.7......F.1?.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):6.17368696309647
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:MJZ9Gx/x4S7IRyh+ngOBF3Q+ywIsybxZuYL6uKSRtYcFm7B6K+WEpYi60W:MJXA3ogMg+KTbxauZBm7Bl+X76X
                                                                                                                                                                                                                                        MD5:D6B7C686867602B045B64B932D752C10
                                                                                                                                                                                                                                        SHA1:6F9016683AB6A050784B6BC367CF4B2945B510AA
                                                                                                                                                                                                                                        SHA-256:99629E0CDD5D1C38C9E27A14D1478191371A9A3A5A561A2E8A757F951C5422ED
                                                                                                                                                                                                                                        SHA-512:5752DCAA41E267D5845655BDBBD1C7FDFDD6CDB32AC7E3EA2631FC1B402F5D88A62192765C5E7C4C55911C5F5558530EC35C69E1E6509193095A75B2B55FBD62
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....`g.........."...0.................. ........@.. ....................... ............`.....................................O.......................((........................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H.......HR..Dn...........................................................~....(....-..*.(....,..*(....~....(....(.....l(....(....*...0..3.......~....(....-.(...+*~....(.....(.....(....o....(...+*..0...........(.....~.....( ...*..0...........(.....~.....( ...*..0...........(....(......(!...*2.(....(....*v~....(....-.~"...*~....(....*...0...........(#....(.....o$...(%...*.0..g.......(&....('....o$......o(....s).......+......O...r...p(*...o+...&...X......i2..o,...o-........,..o.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1251
                                                                                                                                                                                                                                        Entropy (8bit):5.000868036244702
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdszvPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3sB7iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:16D1DF732FB7C3FE51EE9657C5AC458C
                                                                                                                                                                                                                                        SHA1:32CECF6AA8A03E11A967D54C67F9404F6A73D57B
                                                                                                                                                                                                                                        SHA-256:4FC493DA952DF0968311A06FAC3A5D03FBC2351DB77D0D907A1FAFA4ADA08777
                                                                                                                                                                                                                                        SHA-512:1F33ADA48F1ECAFA9238B87A8743C0A92953D123A917E38EC9F7EA7B92A7514AF6F244E4E3F77141D9ABDC11D120641FBDE9318525E0C3F2DC16F6E1D91634C9
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>... <supportedRuntime version="v4.0" />... <supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <asse

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXTLQ:WBTk
                                                                                                                                                                                                                                        MD5:7B772E8870F15E5A324C99903FC1126C
                                                                                                                                                                                                                                        SHA1:4CECBD49501AA01F6AAE67E0EA7BEA6BBE149041
                                                                                                                                                                                                                                        SHA-256:8F3AD35D4A1E3005C66A375C8E6810FD9BCB838E30619DB970774AB9D6EDBA3E
                                                                                                                                                                                                                                        SHA-512:B223E084F58A309503C1CAD5374AF6DB1233E91BCDD429C9ACC08D349CAAEF64C12BA6D09B5AE8FB65866DDE4A4FF48AED4319794A7CEF3185F896A4788AED0D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=26.5

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.177870485804748
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:Pgs5os2RUW33uzNrscqSofyqwshFDfuX73QbQgLb/xs8bRUi+kEWWdK76tUzz:P0jjnl1wuDYjQbQgLbZs8DWdK5z
                                                                                                                                                                                                                                        MD5:C25E7CA39D0ACC6BA21C9B1BBC753C3F
                                                                                                                                                                                                                                        SHA1:E52624828F0E947C2DB437099B3D18E17B0EDA5D
                                                                                                                                                                                                                                        SHA-256:94C9D97A30117BE1451432CA55BD5E2B95C8E8C081D3DC691B90689BCEE73CB0
                                                                                                                                                                                                                                        SHA-512:77486714A175B5BE07F2143DD32E198FC1DB4AE102CED12015A0F4654F1186B619C2BDF695D87BE8C5F003CABD50C582C444FA75DB6ADF75D227F3A32D978397
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y.g.........." ..0.............b.... ........... ...............................y....`.....................................O.......8...............((.......................................................... ............... ..H............text...h.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................D.......H....... ....!...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.311706918648539
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:zINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wg6:UNsii6v/HS0+OJd5gpKm76tg6
                                                                                                                                                                                                                                        MD5:A7A0C1A3E93D2A9609335E3F7B7D8FB8
                                                                                                                                                                                                                                        SHA1:846C6F9B6F7303395B2D8DCCD0E8592B92E15526
                                                                                                                                                                                                                                        SHA-256:6E2A4A4C82996F1254CBAAD043A1964F30340147025716C8F934DB5FB1FC1CA5
                                                                                                                                                                                                                                        SHA-512:0ED532225DF6AD0B02240EEDA4A9E0F2FC8157BEB4A0C2524B8A6245722133D4954C1CD3ACC461992D7610AEB3290BADB6EFF099D529308769C41F03907C9DFA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.134162391255298
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:tjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvS:t+e55LgIkTmyAAfTnMLvS
                                                                                                                                                                                                                                        MD5:EF932F62787FC97AB86C868A6997D674
                                                                                                                                                                                                                                        SHA1:045B8179AA00C5BE0CC902C0A64819BF4F81E90E
                                                                                                                                                                                                                                        SHA-256:C8D5992C31960EBDA20490F25AD96C50E155C97C648E9E2E36FDD5EE6A13BEF3
                                                                                                                                                                                                                                        SHA-512:76DAA329C7082FD8C0055F47762980F738872060E97304F09DE899FF1EA158D72DF1F9491CAC0D63D7434DE069BB9BF1D1ABC3B920930FA720DCC16DB1D0118D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`......K=....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.9605883376443005
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:zBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUV:zBjk38WuBcAbwoA/BkjSHXP36RMGI
                                                                                                                                                                                                                                        MD5:93FB51465859E7E7D6601B08CDFA8CA3
                                                                                                                                                                                                                                        SHA1:22806A0E6E117FCBF47D7AB1B38466721906EC84
                                                                                                                                                                                                                                        SHA-256:C1BCAD2B09B37B58E8AD40765318C10C276C61634D29B34A4BBC6CF8328116C4
                                                                                                                                                                                                                                        SHA-512:6D8752A75FDE027B9889D35BB37F35D2FAA7246104576A486A5D13145678AB8963FE911F78F8C43092ED961A29A9A1A13C5BAABA6844AC04007F5639DF8E7407
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......}....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.675796518163144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Ay/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOq08N:AuhMaVmzDC6k0EpYi60hN
                                                                                                                                                                                                                                        MD5:867FD56DF9DA65A73E4398B94601075C
                                                                                                                                                                                                                                        SHA1:AE16CD1441533D219BF2C88F80D404D0FC76F1C2
                                                                                                                                                                                                                                        SHA-256:2B33511C3D429B806845B340B6D71F4711C5AE2F3F8161309FE1E6FD9A017FBC
                                                                                                                                                                                                                                        SHA-512:AE1F51F4434D21A62B6F6954A2FC7EDCC07EC1EB4A3BDA263F494428A136C2794C5D56CD2EB889F90CF79BBCB96758C157EE184E7726263ADE5C9DB94E48DD2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266486749126179
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:9YDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607z4Z9:9KC9niwOepJ6TJPeb6NIUFg76Kz4Z9
                                                                                                                                                                                                                                        MD5:209C40ED640F5B1559F6101261C57B67
                                                                                                                                                                                                                                        SHA1:B6B362984E3344020800D92DEC6B08F22953E53B
                                                                                                                                                                                                                                        SHA-256:1610457E621745C88CE37B463E6F4FBFB2DE51B8ABD033C756725F709BCFA545
                                                                                                                                                                                                                                        SHA-512:6E86E509CA2D2D87DA54E6D3E6E1E2929AC898D9A7AC13F744EC8E00F93DC2119E21F25C3811AC2E975E74C8FCCA2C0184DD11C19D0D4A6B51D7E1FD0FCF93DA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@...... O....`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.178284916873051
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:kP3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJHu:kh0qjC5RMOHO420kN11
                                                                                                                                                                                                                                        MD5:886B765792DCE94114D2AD06F79E3F58
                                                                                                                                                                                                                                        SHA1:FB1596F2B5104E68F65B5730BB5C4601370B5F80
                                                                                                                                                                                                                                        SHA-256:9C4591BE45BDEDBAC83A0FD9C4DE28DD60EF442D686FCB709C048B66C45A8398
                                                                                                                                                                                                                                        SHA-512:586E4D036E38A391DABA353C1D7B45345996EBB16FA402D2475C42A59B7B959575A7ED264ADE93EB26DF0A8DE386D563692317508D44F033A6602F13542391B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`....../{....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.635009457377427
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:STO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF08Nhp:SCn6xYEpYi60k8N
                                                                                                                                                                                                                                        MD5:E7E34C7CC03503B4DA72E26434BE71E1
                                                                                                                                                                                                                                        SHA1:0B6C67912916233DD658CC8FDBDFD90ED4FF75DB
                                                                                                                                                                                                                                        SHA-256:9648A1444EF53BA5E65B7C925AB7CF9EA06AC48D957FC85A40D9E13A2B841699
                                                                                                                                                                                                                                        SHA-512:CAF1424B5E4CFD79D1D150E18B4292EC5E528AA4511069E19762A619A7A0C40C3C0245C58EB6468A5097506E6B0CF360C95744AE22BF144A7B5D54FE3F53F0B6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ..............................uv....@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.16945426601163
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:YbYPzANqrXnwgMZXyixq3pHN3OsjZMqlIFvdCRIgcWEpYi60C+:NUlI3pHNesVM0AvdScX76p+
                                                                                                                                                                                                                                        MD5:8C5EE7DE0F688A773C8CF420063222E0
                                                                                                                                                                                                                                        SHA1:CD85026613C106CC0B5EB9CE3E17F09176FD661E
                                                                                                                                                                                                                                        SHA-256:9CBE1B028D97F22CD71F08FB7A9F68DFC11A417DFB413C720F95F94FC13FB7D4
                                                                                                                                                                                                                                        SHA-512:FBB7489B13C08E48559E3E579F124271469F78677F843A4B42F3D676413946C563AC4912B3215A976D3710E85D2E6EF402E763CE533E676820FF844710E9107E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jm..........." ..0.................. ........... ..............................H.....`....................................O.......................((..............8............................................ ............... ..H............text... .... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........L..lj............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..{....*"..}....*..(....*..{....*"..}....*..{....*"..}....*..{

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1140
                                                                                                                                                                                                                                        Entropy (8bit):4.958392223272386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7N8OH2//3dVhOXrRH2/dV0PH2/+w3VUrPH2/+789y:327iOgl27Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:082A70376537A2E9B0BD9DFAD8D2496D
                                                                                                                                                                                                                                        SHA1:1B4A667CFB09D050614149D6FD8A283071DC890A
                                                                                                                                                                                                                                        SHA-256:50934981FA1B0066B22261984941887740838459B5CFA06846BA15F39B4D10F9
                                                                                                                                                                                                                                        SHA-512:763212C74B6AB727C6E2C19CA2CDFC547B357BD5E1E5C196A3A2598DCEB316D3C8E8554A7EDD1AFA99FD38E1153EDC383631D2755BB31E70236084CF27C49875
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="log4net" publicKeyToken="669e0ddf0bb1aa2a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-2.0.12.0" newVersion="2.0.12.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedir

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):6655016
                                                                                                                                                                                                                                        Entropy (8bit):6.267122556998023
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:98304:4CMEM0MUMRMxMwMkfqbjxbSzGVr4W11ByHY4W6upIjf:8lV1qKpkfqbjeGVr4NHYJ60if
                                                                                                                                                                                                                                        MD5:287F2B076B6EB292F18D9011F5C77A55
                                                                                                                                                                                                                                        SHA1:7D7234644360DD12F91222842C43F206D7B53AB9
                                                                                                                                                                                                                                        SHA-256:88E5FD53C7D06A2FFC42D3DF5D09365E80FF418C8F0407D708061DBC8A58A898
                                                                                                                                                                                                                                        SHA-512:FBFBDF587E4315D445D646675D43BDC62BD905B96CF577DAD392E2A0CEAC18FC0399ED01BE2C99A33190B58908F8E41EBD035A5501953E11760AFB4F3346FA40
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Db........... ......c..........c.. ....c...@.. ........................e......e...@...................................c.L.....c..............de.((....e.......c...............................................c.............. ..H............text...w.c.. ....c................. ..`.rsrc.........c.......c.............@..@.reloc........e......be.............@..B................H.........A...!.........H....3..........................................0..T.......r...p...o......9,....s......o......o.....o..........9.....o...........9.....o......*.........3..........7E......"..o....*...b.:....~....*.o....(....*....0..s........:....~....*.o......9......i:....~....*.~....:...........s.........~....(...+~....:...........s.........~....(...+*.....6..r...p(....*.."..(....*...:.(......}....*..0..+.......s.2.....}.....r...pr...p... 2..s....o....&*......0..{........o..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):280616
                                                                                                                                                                                                                                        Entropy (8bit):5.690963329276027
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:UG0WgexKpGi8PnJcerXUaxX3HVeES4BEIqTTpX/4ormGpnaVTSGCkMhkEn7GAhCj:UJrycoB3HVeESME3pnaVTS1nh7hCaW
                                                                                                                                                                                                                                        MD5:44ABABBFD8B19156C37277E917803B81
                                                                                                                                                                                                                                        SHA1:4261965865038BB98C8BB30D9B065099BBCB996E
                                                                                                                                                                                                                                        SHA-256:1A3F64642AE3B69ABC2E500EB93FCC9F3350B1CE05E8F15C671BA8C60CFE797F
                                                                                                                                                                                                                                        SHA-512:D15A64BA263DA151D8E531870A0C47049E6AD805420548291DE776C160EF4D0545FD2D8B66C9AC1D2871A797BC22D9A611DB00294CD5B27D0EFCA48D8FF33678
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p3..........." ..0...... ........... ... ....... .......................`......).....`.................................h...O.... ............... ..((...@......L................................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):342316
                                                                                                                                                                                                                                        Entropy (8bit):7.999331258360695
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:6144:Ir6VUI82xfkgpWrvL/JVW2L3ukK29GSya5GZ7F2vtVygTNBr6VEZGqTkxU4sAQgY:Ir6+jAfk/rD/J3Lun8EaekVcgTzr6GZR
                                                                                                                                                                                                                                        MD5:09447F135F7F4486C165061CF443C569
                                                                                                                                                                                                                                        SHA1:3AD4264DB3112F845D35C112AABEA9CBB2E21AFA
                                                                                                                                                                                                                                        SHA-256:0142E2CA4F93C9631591065DC53944A86E4B961620F4FAF1FE8B61A8B2867C9B
                                                                                                                                                                                                                                        SHA-512:BE678FB5CA389198A5CC474C8E9E9D0C79A92A582CB81325B13D8BE226725AD04FAA6ECC3B4B7CECAEDAA6F15EC13F01C0276100EE19FAAF0A1B1DD7D061F31B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....#D.Y.V.:........-...AgentPackageSTRemote/AgentPackageSTRemote.exe....(........m......~.;8w.8...N.....]..z..1.o.?.............b...T..*.....W......v....,.3.<~.@.U...F]....oCo..a..dR......Q.+.Q+.#B..7.\.@.>o.;..J7wd........H...m.G/.^Y..2..u.._.b.0.%T.U....,^........W.....MS.+...;..N..63d..m.0w._`V.J.t..g.x....?f=...81}j.SS.....*.z..M. ......=Y].yD.<..S..,.{..x&@g.&.}...A...y..<z`.Z.a.>H.......wo.k..]9.9..-.YvL..FhQ..P]..1.+~d.....'9...4O?.$h.....2.`..G....2T<..(.t..q.W#..]C.6/a...o....Q......c...X.....]q..U.%.....8...~..k....~.b...c3ob(G.&.S..8g.x.vO.Cz.yk.p5....i..-=.p...=^...wg.....N...R...TL..... ..uP...Q...... ..5....u..Ydn...RW..w.;).n.v.......WA.Q.........2....,Z....T..P..."....[h......~}..N.k...].6..M..|.......To.......'..Q...&.y.........v...OK8.e^..%>.e..B1:7.#..(..........;...79|.....n..u.,..[....#Q..........{...T...i..H....1.8.....S..|__....^Cu...*....M..T....r..._G,....H....T=..?3.X..{.5..".0(6...\V...p!..1..S...d

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):72744
                                                                                                                                                                                                                                        Entropy (8bit):5.510938920637226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r8V3tfciq9s2k7Xvpci+yLYCJoUu7Q6P+O76q:klPna02B86P+ON
                                                                                                                                                                                                                                        MD5:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                        SHA1:C47A5A33F182C8244798819E2DC5A908D51703E8
                                                                                                                                                                                                                                        SHA-256:C936879FBB1AA6D51FE1CDC0E351F933F835C0BF0E30AEF99A4E19A07A920029
                                                                                                                                                                                                                                        SHA-512:232015FE6BEE6637D915648A256474FC3DF79415AC90BABDFC2E3DED06C2F36FCE85573EC7670F2A05126AA5F24A570B36885E386061666D9EAA1F0DA67A093E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...B.Pg.........."...0.................. ... ....@.. .......................`............`.....................................O.... ..P...............((...@....................................................... ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H........B...............................................................0..........(....9....(....~<...%-.&~;.....t...s....%.<...(...+~=...%-.&~;.....u...s....%.=...(...+~>...%-.&~;.....v...s....%.>...(...+~?...%-.&~;.....w...s....%.?...(...+*.*..(....*...0..-.......(.....3..*r...pr...p(....,.(......(....+..._*....0..(........(......~....(....,..*..(....~....(....*.0.......... ....(......i./.*...............&.........4...%.. ..o.......r9..p( ...,.*......s!.....s!............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):541
                                                                                                                                                                                                                                        Entropy (8bit):5.097123194334321
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGp2VvOF9LNFF7ap+5v5OXrRf/2//FicYo4xT:JdsIOvPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:D0EFB0A6D260DBE5D8C91D94B77D7ACD
                                                                                                                                                                                                                                        SHA1:E33A8C642D2A4B3AF77E0C79671EAB5200A45613
                                                                                                                                                                                                                                        SHA-256:7D38534766A52326A04972A47CACA9C05E95169725D59AB4A995F8A498678102
                                                                                                                                                                                                                                        SHA-512:A3F1CFF570201B8944780CF475B58969332C6AF9BEA0A6231E59443B05FC96DF06A005FF05F78954DBE2FEC42DA207F6D26025AA558D0A30A36F0DF23A44A35C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXRLW:WBRi
                                                                                                                                                                                                                                        MD5:B22628235C1F44AE054091C8FDC82D23
                                                                                                                                                                                                                                        SHA1:70C8E5ABD9D2D8A18B769F6E71819FB53B273B9B
                                                                                                                                                                                                                                        SHA-256:B31673E38897D5D84558E2745D02C553649A50063A9F0E7DE7E71BBA89916232
                                                                                                                                                                                                                                        SHA-512:C1097690938F3EDCBA20802DFB77880FB29D1F8B70C62FA76D1828613D57355FD04C0B3D26DA90128DB2DF2E63E4E30C8E195B84452C0931B8CB2F043D5BBA98
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=24.3

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179705686579105
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:FJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762s:FQUm2H5KTfOLgxFJjE50vksVUfPvO1m
                                                                                                                                                                                                                                        MD5:C548EA0CD65F5981C2DF82A0177A9D3A
                                                                                                                                                                                                                                        SHA1:5D082BC6BC2D1F2267AE8525F3A528A0B58C3161
                                                                                                                                                                                                                                        SHA-256:BEAFAA0CF51CE914B58482094044A6CC742C3269431A812D5683CA3034ACCD84
                                                                                                                                                                                                                                        SHA-512:530AE2069185897612E0129135065954379F75F6C9F9DAEE3F7D9DFE49C7CEAFC8807DC866591F39337410FAFA76733705C316912F3A12AE85565ECB775476F4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................;.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960555604702895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:UBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTU4:UBjk38WuBcAbwoA/BkjSHXP36RMGN
                                                                                                                                                                                                                                        MD5:1792F462B4908235FBA6B3B4B2203276
                                                                                                                                                                                                                                        SHA1:E1B0CF8559C330377E2DE7FEE9FCC0FC3D34566A
                                                                                                                                                                                                                                        SHA-256:8CA1C3651A6F118C80E712BCB9C44031EB3D8C7180A60EDA5F2B24A0584082A9
                                                                                                                                                                                                                                        SHA-512:7AB9E256A4359A5560BD8C10014591F350F2788F72693234C16AA0B75F95F9EE3CF5E219B97A33944A5E730202BD355064885FD060812EE150107FFC84C92F65
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ............`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\attendance-updated-time.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18
                                                                                                                                                                                                                                        Entropy (8bit):2.974937501201927
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WiVTT7NJz:Wqzz
                                                                                                                                                                                                                                        MD5:CF229CC3F92E5C94F03FBC4891EFECA1
                                                                                                                                                                                                                                        SHA1:F31C85D75C018F2F2FFC12975865F709DCF683EB
                                                                                                                                                                                                                                        SHA-256:F16B686E15F774D2A4B597D93E53A2A91D204FBE13D1E24F6FFDC3B53D9D6997
                                                                                                                                                                                                                                        SHA-512:72CC887B319F2E3B6AEFE28BBCCA667584D2AE3273DD86C69A5018B3404A8F9C54C4D4311A5D9C4693A80C792BCD0D101FED84B2EBD3C4168D750FF3394D02F2
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:638700066824111540

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1560
                                                                                                                                                                                                                                        Entropy (8bit):5.049479698658914
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:DXQ0/bqd+sVNPBEiQ0/bqd+sVNPBHQ0/bqd+sVNPBxvEK:DAUbgd5BQUbgd5BwUbgd5BZ9
                                                                                                                                                                                                                                        MD5:D0EE9DCB614B7F5601AC4E56C7D7BFA2
                                                                                                                                                                                                                                        SHA1:C6FF0F48B3EA9F6A875DAB81BD1508069B261C48
                                                                                                                                                                                                                                        SHA-256:DE1C9A0FFA3242BC9A1E3FD987B05C2AD8AEB1E1059C3B98678F877A689BEECB
                                                                                                                                                                                                                                        SHA-512:4B862DB85064368CA86C31C85A425762EF5A13AD73A4D084CFC2F19592C71B0D19E0B44376ACB905124C28F681977EF2225F2254E842419767830EF828F0B757
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..17/12/2024 04:31:22 Failed to set key: RequestPermissionOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..17/12/2024 04:31:22 Failed to set key: RequirePasswordOption with value: ..Exception: System.ArgumentNullException: Value cannot be null...Parameter name: value.. at System.ThrowHelper.ThrowArgumentNullException(ExceptionArgument argument).. at Microsoft.Win32.RegistryKey.SetValue(String name, Object value, RegistryValueKind valueKind).. at AgentPackageSTRemote.Persistence.AteraSettings.WindowsAteraSplashtopRegistry.SetValue(String key, Object value, SettingKeyType settingKeyType)..17/12/2024

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):687097
                                                                                                                                                                                                                                        Entropy (8bit):7.999301462450433
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:/RXzKywF1eMeWoENSWdoY5RI+L77Abu6o9atsrK/4WUHkei7aMpOIlv2H:hzKP9oISAoYrI677AK62aGWZ7FpOIK
                                                                                                                                                                                                                                        MD5:15BE7A1225D2015FDE97B5C2BF27569E
                                                                                                                                                                                                                                        SHA1:EC3041B31C796EED9E6AC6E565FED3B5068F198A
                                                                                                                                                                                                                                        SHA-256:686058C3A01FE67FC0CB8D1E66535CFAFCFDE584D07781FEB1461618826364CA
                                                                                                                                                                                                                                        SHA-512:02B6307FDDF2D4F22567C5C7749B9ECF5BA124057360494A545BC02871558CB6FAC0224598C43E76F683C4A3C9126D62096E04D53769ADCA75DAD0416137CE85
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......@.Y..IV........3...AgentPackageSystemTools/AgentPackageSystemTools.exe....(........j.......)..%.....Y...U..j..a.y."Dr+xC:.p...&.v..3.1/.p..{h.`B........z.W).*....s...........5.4...B..Oi}...?+Y.....*...........RO..O..'..k...<...]D..Q;M&c...>-...#F..l.....U E}......Z~y...VYc..C.......i3..O..`..}....t~...AX....Z.....4.@...'..M3.B..>Q2B...-<... }.Q....X....|..=.........Q5..6...`..;..>}..8...g..@..-4.._w.W...o.D.Il.z?.&.. .\z..v....:.....w.$G.C.G.M.fN..1`W&...zM........8m.4...R4a.+..ZS./w.Jy.Z..*.bj1.gV.[.b.,....,(oT.uY..M6~.F..O$.>.M4.....oC..uP.K*.r.C..L5@i4..NT..\{. .....).{.~........u.....V.D....~....\.UL..........^...5...MD....2.On.a-.i........X...O..#V.X.2..$.....x^[.h.b...&p.....JN..,S4O.g.n2e....*.u...".E.W..-Tc.....b....=.@...}.V....6{I....N.s.j..1.X[...`s..6^...'..jI......h...J.60.6A..#U.w._[.Q.o..^...m09A.. :.B.C>"K j.1y.>.b....b...I... ..H.H..........4..q.{.....M.D.R2..|..J.Y#.1.xIZ.u.."....,.y?h.H...0.[.y......&}.|..m..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):51752
                                                                                                                                                                                                                                        Entropy (8bit):6.286030081106931
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:esXr7JfmSn0jVGcxf3KI3NjkfE53Tnz8ztFeDZUBEpYi60Cc:eOFnarB3NwfE5Dz8LEZUq76Fc
                                                                                                                                                                                                                                        MD5:6BC1A40E1C27E34FB38B1E646AAF7EE2
                                                                                                                                                                                                                                        SHA1:2B35EACC9498AB06AB46B0EB13B1F1846CF96ADC
                                                                                                                                                                                                                                        SHA-256:372204BEB17F9AF59A26C1F1CECCF313C30ACC7466F1B29B4112430BCCF48E84
                                                                                                                                                                                                                                        SHA-512:C04D75AD9F68FC669F99C35B053E74FDB9383DB6C9042619420DAD5919EC63819E7073803E072ED8B5B41CE0454A7C5BE3D81A40EBD3FCF3B073333E8BDD31E6
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...'.Zg.........."...0.............^.... ........@.. ..............................(.....`.....................................O.......`...............((........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...`...........................@..@.reloc..............................@..B................@.......H........C...r...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o ...o .....(!...*..0..........r...p... .....r...p.(.....o......(.....o.......("..........s......[o......s....%.o........o#.......s$..........s.......i.J.....%......io%.......o ...o ...(.........o&...*..('...*...0..].........~(....~(....~(........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):923
                                                                                                                                                                                                                                        Entropy (8bit):5.156246271896278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:Jds4F7k1hOXrRT2/2E10PT2/+w0E1UrPT2/+7Trln:3ss757Rkqk+wik+7Nn
                                                                                                                                                                                                                                        MD5:D6FCBCF9C6ABC2F051772E7A7D5EDFD5
                                                                                                                                                                                                                                        SHA1:33D9962BCC42F021A7CEADF3D1C613B4643C66F6
                                                                                                                                                                                                                                        SHA-256:F523D40AE141AA8899B053D77117FCF50639708757AD4A050F3A11E8582A894A
                                                                                                                                                                                                                                        SHA-512:07DA40F1C43A1E35582ADE5DBBAEB47EC2922C42241BD4B950EFA76407597CF838338E27F3F5197E02F5209B27542207BEDBA9B85681955E3C326C95C1F5AC22
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />...</startup>...<runtime>....<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.....<dependentAssembly>......<assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.....</dependentAssembly>.....<dependentAssembly>......<assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />......<bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.....</dependentAssembly>....</assemblyBinding>...</runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):13
                                                                                                                                                                                                                                        Entropy (8bit):3.5465935642949384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSgUn:WBZU
                                                                                                                                                                                                                                        MD5:A68FD83B6812524BA659708B5323738E
                                                                                                                                                                                                                                        SHA1:4898AF8DDD48B89B6D0F57D08C795E477D9FBA49
                                                                                                                                                                                                                                        SHA-256:358327E0D5BF2182C61872CE9282B4257E4A2B0540D17DAA4555FA679A229B1D
                                                                                                                                                                                                                                        SHA-512:9E4B73DB126562F7A84A8FB8EC2A1654E9CD8DB6236305DC5E64F445B266545A6AA506D8C37161577AD780538697F29A96CBA3CBCC4EFD05B7BF47A1F140573B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.11

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.Mutex.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):14888
                                                                                                                                                                                                                                        Entropy (8bit):6.879305102210371
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:192:fC9aM0P8P2Nyby2sE9jBF6IYiYF85S35IVnxGUHFi3oCj:fC9abP8ONyb8E9VF6IYijSJIVxu9j
                                                                                                                                                                                                                                        MD5:B8414539AA307D28D54BA4DA49BAA62F
                                                                                                                                                                                                                                        SHA1:94ECC4FD997802F9DF2EE0A09185454FC072D065
                                                                                                                                                                                                                                        SHA-256:0362F585CBDF093BEA16AB56C55DF1784610EAD257BBCD4D2EB4D1DB38014627
                                                                                                                                                                                                                                        SHA-512:96CEC5DF1F3CA6ADF9B5C57893029DA46E082C9E797F7D5D369F5349412DF96F6E11084A265E7FF774BF83D537DF7C4F5AC9DF4B071EFF8012B27351D55340F9
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0..............'... ...@....... ..............................#p....`..................................'..O....@..L...............((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...L....@......................@..@.reloc.......`......................@..B.................'......H........ ..............................................................R.(.......s....}....*2.{....o....*6.{.....o....*BSJB............v4.0.30319......l.......#~..p...l...#Strings............#US.........#GUID...........#Blob...........W..........3..................................................................8.....@...........k.g.................................T...........].V.....V...................A.!...........H.!.1.....!.c.).........V.............8.....P ............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112680
                                                                                                                                                                                                                                        Entropy (8bit):6.177500062233969
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:+tsGQngrGJbFzosIehOKHbeqRMFOblTQFHRbd6U/pC18VdUEvfkAS77S76iy:+6fBzoWtRMFOODbd6U/Y18hK77Spy
                                                                                                                                                                                                                                        MD5:6970C828E51DC263F4F14CFC9303003B
                                                                                                                                                                                                                                        SHA1:0243FF899BE76A2319521AAE08D35A1737EFF21A
                                                                                                                                                                                                                                        SHA-256:321F4FFC7E16A3B6A699F891730F5862C0933009BE5D84E510871791F15430C4
                                                                                                                                                                                                                                        SHA-512:198D41EA1CD366F9387CC7A8DBC6BFB8171845168B2120989E09E11407FCE1A7FC1B2E297105876424A3B3D380FC5B44C46ACF931DD13EB0D3A18CF1ACF821A8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&.Yg.........." ..0.................. ........... ..............................c.....`.....................................O.......8...............((..........|................................................ ............... ..H............text........ ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B.......................H...........t"...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...td...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.309788080581439
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:fINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgy:ANsii6v/HS0+OJd5gpKm76tgy
                                                                                                                                                                                                                                        MD5:4FFD20EBA9EAE8A4D71A4CCD589E39CF
                                                                                                                                                                                                                                        SHA1:D0199278A626E9D295072FA5A8582A15C7583C55
                                                                                                                                                                                                                                        SHA-256:C3A249955F2BC7809B96917A3BB5A69BB5F7A54FABC023EB9DB764CA5B7B9C5C
                                                                                                                                                                                                                                        SHA-512:991D82B4A1FF9570BCDD9C912CBCAFF8C80A94826707B2BFD8915AB3F732A6152834CF936F4D518A1D6CBA484FB48523F61536CC409B1F28F08FEB7C3C4D28C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):16424
                                                                                                                                                                                                                                        Entropy (8bit):6.855499793771738
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:S1c5HLPirxWW4/wyNyb8E9VF6IYijSJIVxkAM:S1cpmPNSEpYi60E
                                                                                                                                                                                                                                        MD5:0060823775F16743AECCEB6DE4DBB8AD
                                                                                                                                                                                                                                        SHA1:3266F6FBE2E91777B51A3A40A523B5448BE5EFE5
                                                                                                                                                                                                                                        SHA-256:6188C16B6641C3D418537020382E562AC39F7B2C6599B6326EC3F9F05EF227B0
                                                                                                                                                                                                                                        SHA-512:44ECBD43A229B2554875182B7853634BE35E93F76DF3299C5539B366BBA0C2D07E3EE87634C97000C7B78C7E5451BF2D1D58E52F54F60CB7AFB047781C2B2FEE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.Zg.........."...0..............-... ...@....@.. ..............................].....`..................................,..O....@..................((...`.......+............................................... ............... ..H............text...4.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................-......H........!..$............................................................0../.......................(....}......(....&(.....{....Y*..0..D.......................(....}......(....-.(.......(....s....z(.....{....Yn*..(....*.0..t.......r...pr...p...s......o.... ....(.....s......o....&s......(....vl(....o......o.....!..(....&..(....o....&.o......&...*......S..o........7..R.!....BSJB............v4.0.30319......l...T...#~..........#Strings....\...4...#US.........#GUID...........#Blo

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1017
                                                                                                                                                                                                                                        Entropy (8bit):5.00184675687532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdArdEtPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3Ar+z7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:8A743B2BAC31EB00D4BDA0EBC8DF160B
                                                                                                                                                                                                                                        SHA1:5564F6A8F02973D040E8409E21B2A18ECA2CA8EB
                                                                                                                                                                                                                                        SHA-256:31A69A6D9423CE1BCF98F5281DEB1B8F537D95609CDFA03AF9A41CBF00D1243A
                                                                                                                                                                                                                                        SHA-512:9F14C687EF076CEB4B903E2C5803DCB9401BDEADC00B0E090765E67B54E9BEEC733B087609D76C605C8485C7E446E8DB3A0D8AA3E17C969FC155F069070BB543
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup> .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428787028244
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:RjS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/ZmvH:R+e55LgIkTmyAAfTnMLvH
                                                                                                                                                                                                                                        MD5:A3008D478A57AC234CDC253BBC7F9F60
                                                                                                                                                                                                                                        SHA1:528437D2568842658F68E92E9B27117AD4015037
                                                                                                                                                                                                                                        SHA-256:70F2CB79D3FAEFF43AFD9128D67C568FF7167C997263B7CDD13EA994DA6ED1B5
                                                                                                                                                                                                                                        SHA-512:F971495CC1469273EDB055718BEA8B8EDE6EA04214E938BE987B662E0CCDEDFBA47173593414B171351079D2DDA11C245D9042E32918A3A23949770C5FA948EC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......4....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.96056332961101
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:sBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUj:sBjk38WuBcAbwoA/BkjSHXP36RMGe
                                                                                                                                                                                                                                        MD5:1EA58D26DCD24816959E6B35F7BF747A
                                                                                                                                                                                                                                        SHA1:BCB4A937F206E68F4AD107E936807AAE056475BB
                                                                                                                                                                                                                                        SHA-256:2B41CB318A275CAF053ECD8A8024C6C96E1A61FB729327097938A66A222070B7
                                                                                                                                                                                                                                        SHA-512:45001B1D9FC2284BAD9DE450FD73716F882C2F7D1098FE5C8F65290147936FC57BF65CF2CE1CA404FD7125ACD2815DA196A26E097D252837C302A68572E69C3A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ......&.....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):18472
                                                                                                                                                                                                                                        Entropy (8bit):6.706389759512927
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:Tq+stMuQM22tDNyb8E9VF6IYijSJIVxcyOI:TIMud2efEpYi60H
                                                                                                                                                                                                                                        MD5:D09D334B74989996A2955324B2B69CCF
                                                                                                                                                                                                                                        SHA1:2803A10FDC2D98E730AFA2660AA84B0F0B34F210
                                                                                                                                                                                                                                        SHA-256:96D3ED6E532DBE0759667416F92F6EFD53DB4CB681B41A1F61E1AA5D827BB43B
                                                                                                                                                                                                                                        SHA-512:C5700E8FBB525B248848B633E82920784DD0061B4789E35AD303F3017055DE42AC03188F09D1FA151CD1A3E291FA12E6BB0EFC2D947D65385E438DF64606151A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...(.Zg.........."...0..............4... ...@....@.. ..............................A.....`.................................d4..O....@............... ..((...`......,3............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................4......H.......(#..............................................................6.(.....(....*...0..........s....%r...po......o......&..*....................0..%.......r!..p.s.......o.......,..o.......&..*.......................!!.......0..........r_..p(......i...r...p(....*....r...p....s.....r_..p(.....o.... ....(.....s........(....-.........o.....o.....o....(.......l&..-.s....%.o....%r...po.......L....(....o....&..&...o....,%.o....( ...-..o....(!...,..o....(".....,..o.....*....4..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):975
                                                                                                                                                                                                                                        Entropy (8bit):5.005145470654642
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsHPF7NhOXrRH2/dV0PH2/+w3VUrPH2/+789y:3st7O7Rgdsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:DB02B24A7803C99F651940FECBE6E283
                                                                                                                                                                                                                                        SHA1:34EF3032B61E369535658D72BCE1E9908888EA0A
                                                                                                                                                                                                                                        SHA-256:207C4D442FACD06379217DD915D85D926DD622E72F6DB5814753FD2E5F8D0048
                                                                                                                                                                                                                                        SHA-512:9C76B6E3DBB34E2729F5C0E49A2A195C87AE11916A4479676AD09EE2C182DD83F87E826BA39DDF410B99A82EF1053571AA7A1E97426D396794C6E25E066C3849
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>.. <supportedRuntime version="v4.0" />.....</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.3.0" newVersion="4.0.3.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Memory" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-4.0.1.1" newVersion="4.0.1.1" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.673416104268275
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:3y/fjFwUI/KQyVvKdDhG6ISDFWvYW8af0Nyb8E9VF6IYijSJIVxOqGvg:3uhMaVmzDC6k0EpYi60wg
                                                                                                                                                                                                                                        MD5:CA1C428ADB5872777EC6A105C7D1EFF9
                                                                                                                                                                                                                                        SHA1:6C6F3452E2699E9EEA3D3F300766668359917EC9
                                                                                                                                                                                                                                        SHA-256:F08F707F9CEA7ADB4D43573533CE2CD357AC04616B47FA6D4A1A81F2EABAED6D
                                                                                                                                                                                                                                        SHA-512:4BE96D58EB63B867C99B60CC29026A5D7BD0BFBF7FAC869C6C4C5348554568B3B88448A648782481C96C303B4471941D8F597F3DFE13BE9EC63C08951117FE1E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$...........C... ...`....... ....................................@.................................sC..O....`..@...............((...........A..8............................................ ............... ..H............text....#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B.................C......H........(.. ........... @..X...xA......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*.~....*2r...p.(....*B.....(.........*..(....*R.....(...+%-.&(....*^.....(.....(...+&~..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266761914470489
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:iYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zRL:iKC9niwOepJ6TJPeb6NIUFg76Kz1
                                                                                                                                                                                                                                        MD5:182E1E00BDB7B16C66169A6A9342CDBD
                                                                                                                                                                                                                                        SHA1:5B25935680A57926640092EB2CB7838EE2C86F9A
                                                                                                                                                                                                                                        SHA-256:BEBE376EA2274F3723F93562A47F977EA036A719E54A35511EA7E9521F8C9E36
                                                                                                                                                                                                                                        SHA-512:95569350BA7E0EC54C067CC262C2F8E8017C9CFD1E663F0681E802FB1D4EE590CF6BA36DA8E9CE31CD5E0FB919CD3101D4F17E021D6BF25B045FE03592F91F80
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):138280
                                                                                                                                                                                                                                        Entropy (8bit):6.178858736123087
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:3P3XFz0qjCIIMAxlUXsKovHO420kN1A6C8IJH9:3h0qjC5RMOHO420kN1W
                                                                                                                                                                                                                                        MD5:E28122AB74176E6CE6FDA6E237615B9B
                                                                                                                                                                                                                                        SHA1:36B00A7D5C91873AB0FA555DF7384498108FFF1F
                                                                                                                                                                                                                                        SHA-256:030F115AD1F8298B7F599B7399A29FB86786D99EC98F3DC33A7767DD69E0FDC6
                                                                                                                                                                                                                                        SHA-512:F054440D510DA500B42C63E4872D001DF6C3E86EE317EC8981E1B077474F9A22A13C507F1827F8F7C23A28A0EBD28CAB007DC21F415540C31DE46EDE210FDCD2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`......na....@.................................3...O.... ..0...............((...@..........8............................................ ............... ..H............text...\.... ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B................g.......H........ ..............P.......8.........................................(&...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....('...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o(....{....(X...*..(....zN........o)...s*...*.(....z.s+...*..(....zF(L....(F...s,...*.(....z.(M...s,...*.(....z.s-...*.(....z.s....*..(....zN........o)...s/...*.(....zrr...p(S....c.I...(F...s0...*.(....zBr...p(P...s0...*.(....z.s1...*.(....z.(O...s2...*.(!...z.(V...s2...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.633344050480558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:WTO9dQWXYW8a6gNyb8E9VF6IYijSJIVxJF082cu:WCn6xYEpYi60k8e
                                                                                                                                                                                                                                        MD5:BEA66EB1DF29AD0860D6394CFCBF7DBC
                                                                                                                                                                                                                                        SHA1:23173D6A2BD055CCEFA3F7845478D58EFFC0B915
                                                                                                                                                                                                                                        SHA-256:D56B6020C47CE10B4030E533442CEC7DB713F19DF407F4CC8D5860AB108B7A1E
                                                                                                                                                                                                                                        SHA-512:1B8800F05729AE46AA80E1BF804AB9DA964D8B881724EC82BBB2188FF186B7E8C8891F02BB4C2DC956C1A4AC443EEBAC513AE37A604C4451BC6D8F7205417DBF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^...........!.................1... ...@....@.. ....................................@..................................1..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................1......H........#......................P ......................................O..q.<.P$[p.;a<...Ci......K..!..&.d...FaLJ.....f..........w.E.E........(y...,.Lr..R..........T.z....5..;.. ....&V.=}.... .0.0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0................*..0...............*...0...............*...0..........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.InteropServices.RuntimeInformation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):27176
                                                                                                                                                                                                                                        Entropy (8bit):6.33278245676455
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:An1VM0JrpNWDcIh6leOiDFIFBYp1+yWEpYi604L:AnvXYcIh6yFIFBYpcyX76z
                                                                                                                                                                                                                                        MD5:48A2F08D9B23752C60694F6362229FEA
                                                                                                                                                                                                                                        SHA1:06AB43F0C7365676D8AA46444E9CC10351B73ED5
                                                                                                                                                                                                                                        SHA-256:16FFC7E3B4B0425EB0D9676871E068B862A5F46A235842D0669F2942B366271D
                                                                                                                                                                                                                                        SHA-512:08404FE1EBD554AAE3086A2B3E1D5D9B9F1E1E61A0E24133F4BE3EB4F134AB920B1A0AFD6967772C8FDA6D959DF8A4C030F1E68A930944ADB82D912B146CFEA1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Ub.X.........." ..0..8...........W... ...`....... ....................................@.................................dW..O....`...............B..((..........,V............................................... ............... ..H............text....7... ...8.................. ..`.rsrc........`.......:..............@..@.reloc...............@..............@..B.................W......H.......4%..p/...........T.......U......................................r~....-.(....s.........~....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*.......%...(....*.(....,.r...p......%...%...%...(....*.......%...%...(....*..0..A.......(....,!r...p......%...%...%...%...(....*.......%...%...%...(....*2r...p.(....*......(....*2(.....(....*^~....-.(.........~....*..0..........~..........(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3264797
                                                                                                                                                                                                                                        Entropy (8bit):7.999874275656608
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:98304:wmlKzCGP3O8ZafZGor7w2Xtapa8vte3kntR0+:DnGRZafZ2ja8JnXz
                                                                                                                                                                                                                                        MD5:FF671B6085BA35E1BBEBD5D2389AB7D6
                                                                                                                                                                                                                                        SHA1:D7719A66E303C4E854FABA873B781E0084F36998
                                                                                                                                                                                                                                        SHA-256:4F2A43098F6EFF50A03FDE9E134A4C8B7DF6FE7E9A9C6913AFEEFE0DEEB1463E
                                                                                                                                                                                                                                        SHA-512:F5A63EEB6A239D7BE9935CEB1240AAE7C9F3A8D5740D665B5FDE6F28A7667FEB345F88BC440EBE7D6A0512B448F4E3772A49823BC6AD8BA7372E0A31B5F9F200
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-.....`mzY.W........../...AgentPackageTicketing/AgentPackageTicketing.exe....(........H........@.e....R.l....bkS.b.o.&.....7.o.....6.5|..>..B.8.+C8..*c....j0.....f)....El._..w......l.....E.R.......L....,..|.}.?.1.5z.!.......<m.~SB....G.&.....e..?..sS.E...+.^..".t....r..bPD.G.........".Na.-oN$lg>...[..u...6......R...x..C...u...Y.}.........w-|I....I}..R.\!.A`..Bw.4..(\...f38.I\g.=..Ud)..9..r5...+.p..N.T..H..O:..{8w....d.T.M...;%*..........:.Lm.rh&.j&.F...]..h..u}..&.a.#ev..5......}O.?;..xQ....\....wd...x.)...m.Wc-%..aN..%.M.-..B..4S*.....v......{.].+^{.*_..E...\I.xR...Cv.s=F.....y.g.}iE..r.X...R8..b.1.H%....f{.M....%G;?..G........... ,f.."BH...[...9....@..b.....6..8.....f...XL.K./oi.WM.OJ..e...".]] 24B..n.}..E..6~....~6....g.-........f.&T.zZ...%......^.x...Aw.0...R5-p..I9.J~.^].gj......Ok.....hP..X.c..../.o#.Fz.*..Y../.j.!....-... ...QZ....R......%e.....y...+./*^.i&."HM.v>..(......rzf..v'4...G..n..m...a.>..\..jsM...F`...X.=txRV.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):33320
                                                                                                                                                                                                                                        Entropy (8bit):6.271212916167532
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:w2G6bukIMKWcoIQEIhL4lylU9vfWtkfoi75yHiDMMXpO64REVmiRWNyb8E9VF6Ic:VLKF6EIR4lXdIEDLmeVmiR+EpYi60Lb+
                                                                                                                                                                                                                                        MD5:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        SHA1:C22897EB20900A66CF62023C37D6A7D1192AEC3D
                                                                                                                                                                                                                                        SHA-256:0263A627BBEA55A66DEECD7A43F8537BB68B5F95BB3D4269D3E594BD1D851E64
                                                                                                                                                                                                                                        SHA-512:B56B2143A60E6153E7FB752029C72D78547D5253F32ECBD0DDA5A8ACC5C3859292E860162B11A041A37B4F618F4425484B4E2385D7E2C621C8CBCED073E3A67E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..N..........~l... ........@.. ....................................`.................................,l..O.......4............Z..((...........j............................................... ............... ..H............text....L... ...N.................. ..`.rsrc...4............P..............@..@.reloc...............X..............@..B................`l......H.......@4...6...........................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o......s....%.o........o......s...........s....%......io....%o......o........o....o......(....*..0..........r...p... .....r...p.(.....o......(.....o.......(...........s......[o......s....%.o........o .......s!..........s.......i.......%......io".......o....o....(.........o#...*..($...*...0..~.......~....r-..po%...(.....(&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1537
                                                                                                                                                                                                                                        Entropy (8bit):5.0063120500114895
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FV0PH2/+w3VUrPH2/+789y:3sIk7O7RgdjdgFSagFsg+w3Sg+78w
                                                                                                                                                                                                                                        MD5:C3CA0AD8FE91D02044029A11A9480B1F
                                                                                                                                                                                                                                        SHA1:1FB4C1063460C48AC77D3D4702697A35727A5E51
                                                                                                                                                                                                                                        SHA-256:B2AED8BAB56D0FDBD1D6F1277A3257DFFBFD107BEB19320C0D1F4DC0E4AD3AEF
                                                                                                                                                                                                                                        SHA-512:50B18B6DD91CB691C8B77AB612A7172CE59881705A52F59880A29A0F81E910A61D3D4506AB53B1F945611AFE079B96A896F3F01442D3B68801B2748C68AE01F6
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhWB:Wo
                                                                                                                                                                                                                                        MD5:6473ED6D0D25B902FD8B7CEE34B2D260
                                                                                                                                                                                                                                        SHA1:5D0890CB19224079F6581D88C15B24E554364771
                                                                                                                                                                                                                                        SHA-256:1BEAAB7D9B210D794011D33238AA883B2A9A60FCD58A7FD6C29203289363392B
                                                                                                                                                                                                                                        SHA-512:543699EEB71F06DF84B401FC98AFB8CA6EE3A9E9D5F9B6FCCE54277CABA6CDCE100CCCFD2E310A30F274E73F2BBA161C5886D5599DEFA99CCC324540F074B265
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=30.2

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):112168
                                                                                                                                                                                                                                        Entropy (8bit):6.179971319993443
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:HgssVbDRgWchiMWXRIe0ZMTR8U3XTknAxb2waOn3ybQgLbYpm8GRUdokEWUpj769:HUpviy8UHTRxrybQgLbGm8FUpjO
                                                                                                                                                                                                                                        MD5:FD50AE7287B550575E360113077053E4
                                                                                                                                                                                                                                        SHA1:AB7C072756C7C9E6164580BA9E1E9D1E025850B5
                                                                                                                                                                                                                                        SHA-256:F3C49E6BFC2CEEDD5C3F8D5C07BB5D98E6D2DEB494B066B0878BB3B34136A140
                                                                                                                                                                                                                                        SHA-512:B833CFF36ABFFA34E0BBE8F87F63C24FE3F4F95A2D2C5C7C694F39D21B3E6761D57F68B052FB6423EA78D348214BA5F06D7BCF56F4C10355F3B088BE71D0C6DB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..... g.........." ..0................. ........... ....................................`.....................................O.......8...............((..........L................................................ ............... ..H............text....... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B........................H.......0...."...........................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p( ...r...p(!.........("...(#.....&..*........00......:.(......}....*..0..Z............($...,......(%...*~..........(&........($...-..(....s'...........,..((.........(%...*..........&E.......0..G........{....,.(......5~)...r'..po*...rm..pr...po+...ta...r...p(,..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145448
                                                                                                                                                                                                                                        Entropy (8bit):6.2029293745881775
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:hRdbKQx0YYK8gwbUEA5xZs0vVV2yzlhXhYThkyFqhtuElLVwkVJe5K+Q7P6IlIhA:X9XeDmzV2yzlhKLFU1lLVp1+2flYFnQB
                                                                                                                                                                                                                                        MD5:1AE3ECAC33709823C5C63FC0EEB83C1C
                                                                                                                                                                                                                                        SHA1:68A940D985D93B5EC6BB0629278ED43100DB5C8B
                                                                                                                                                                                                                                        SHA-256:8D39FD0909B98939C03F8F364A8306B53E1AF02F6C122285EB2405E6D390F118
                                                                                                                                                                                                                                        SHA-512:9301F5C579D1B1EF6A0BDB7F29330CA8BA1C32613E9F34132D8E97D9A671FC427F98A21D3E272ACDA72D00BCBCD13F9095E7592C6F67527BE135D1B6C9AA2E15
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....nI..........." ..0.............v$... ...@....... ..............................R+....`.................................#$..O....@..|...............((...`......,#..T............................................ ............... ..H............text...|.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................W$......H.............................."......................................V!.b.....s&........*..{....*"..}....*..0..Z........(....o'...-.r...ps(...zs......(....o)....+..o*.....o.....o0...o+....o....-....,..o......*........*.$N......J.s,...}.....(-...*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*6.|.....(D...*..{....*"..}....*..{....*"..}....*V.(....-.r...p*.(....*..(E...%.(....o"...%.(....o$...%.(....o ...%.o....*..(-...*..{....*"..}....*..{ ...*"..} ...*..{!...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CredentialManagement.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):38952
                                                                                                                                                                                                                                        Entropy (8bit):6.310987006425106
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:hINsi1A6I1MLzHS0+iFJBn5gpKNEpYi60wgi:GNsii6v/HS0+OJd5gpKm76tgi
                                                                                                                                                                                                                                        MD5:8A538A202FB4CC0BD0C8F6DF1B00A7ED
                                                                                                                                                                                                                                        SHA1:A0A609D7C9B4360830902BAEFB6DED9A80C68CE9
                                                                                                                                                                                                                                        SHA-256:650CAC5CAD71CD59077578A6402A829FDF1DC6542DF7C5AEAB996B65FB676BE4
                                                                                                                                                                                                                                        SHA-512:D4D1873F51064A4D151C2950C058087F0F2FEF3496C38BD5206718B74490254652C09FB683A4A8096C51DB4700F029C74DA3AEA59EC1C924E28B181912CDF140
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..T...........!.....f............... ........... ....................................@....................................O....................p..((........................................................... ............... ..H............text...$d... ...f.................. ..`.rsrc................h..............@..@.reloc...............n..............@..B........................H........2...O...........................................................0..+.......s.........~....%.(.....s............(.....*..........#........,..%{.....`}....*.%{.....f_}....*..0..>.......................(....}=......}>......( ...}@......(....}?....*R.{....,.r...ps....z*:..(.....(....*...0............(.......(.....*...................J.{....-..&..}....*6.(.....{....*:.(......}....*6.(.....{....*..(.....(....,.r]..ps....z.o ... ....1.r]..ps!...z..}....*6.(.....{....*..(...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):29224
                                                                                                                                                                                                                                        Entropy (8bit):6.6707658881278595
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:hmYaXzmSJL6guJrdvc5tIZmQCaBj4QU3hOTVTDvAGvoOCcdcOFyF606Nyb8E9VFx:bSJh5tIYQzT5zyF60aEpYi60f
                                                                                                                                                                                                                                        MD5:0C45A5EDD0217F927DA829BCB69B6EBC
                                                                                                                                                                                                                                        SHA1:EAFC8785985724EDE5BE9A01BAD2216EAF78D3DE
                                                                                                                                                                                                                                        SHA-256:EEA3E8AD892CC4EA203ED7C19EA2B0DCBBD415DECCCB407A38ECD785C1A97FB2
                                                                                                                                                                                                                                        SHA-512:23D958CEA8246E57DBE5CDCD7D25BF4B18900004B9364A7492B6DB754B021E91813C32FCBA89D3529503100D51C81B30C236A2D1BCE770EEE2313CC4519551E5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p;_f.........." ..0..B..........Na... ........... ...............................s....@..................................`..S....................J..((........................................................... ............... ..H............text...TA... ...B.................. ..`.rsrc................D..............@..@.reloc...............H..............@..B................0a......H....... 3...-.........../.......2.........................................}.....(......}.......(..... ....(..... ....(.....(....o....*"..(....*..(....*...(.....{....,..+..+.-..{.....o....o....*...0..?.........+..o....,..+..+.-..o....o....,..+..+.-..*.o......,..+..+.-..*..0..J.........(.....(....,..+..+.-2.{.....3#.{....,..+..+.-....s....}.....(.....(....*j....$...s..........(....&*z.{....,..+..+.-..(......(....*..{....*.0...........{.....;.....(....,..+..+.-...}....*.{....,.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):219176
                                                                                                                                                                                                                                        Entropy (8bit):6.062603743526206
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:zYq80gPJle2CpcKyudA1+PVtMG8e7sw9CcHvhl9l:zYqqbe2CSod5dtM8ww7Pz
                                                                                                                                                                                                                                        MD5:5B3A6237E3AF3C7AF02CE7F3F670D241
                                                                                                                                                                                                                                        SHA1:05E79F3693B9396B34EDEC73942A9C03951412E0
                                                                                                                                                                                                                                        SHA-256:0F7FBE7E66A78174FCD84748572C4F4A2D03BF4D14BEB2670ADCAA51661A2A8C
                                                                                                                                                                                                                                        SHA-512:1844D5FC440446875FF4ACE95D520CE2D7D0E19CE004968A19DAE4244C8CB8CEBAACD7627F406D6F54B3DC00B6DAC2E497126577C2CB496A184E58B8B6421E37
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...j;_f.........." ..0..(...........F... ........... ..............................M.....@.................................dF..W....`...............0..((........................................................... ............... ..H............text....&... ...(.................. ..`.rsrc........`.......*..............@..@.reloc..............................@..B.................F......H........S.......................S.......................................r...p(................s.........*...0...........o.....=3A.o......o......,..+..+.-.....o......(F.....,..+..+.:B......oK...*.o.... 7...@........o.......o.....o.....o........(F.......,..+..+.:t.....{f...,..+..+.-......-\.o........([.......~....(....,..+..+.-5.o........oF........ob.......,..+..+.-.....}f.....&......o.......o....*.o.....\3%.o.......o.......t......(......o....*.o.....]33.o.........1&.o........

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):302120
                                                                                                                                                                                                                                        Entropy (8bit):7.17562583053395
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:iVub5mx115y505H0jIfJMSFk9X0jIfJMSFk9i3:s6wJMykwwJMyki3
                                                                                                                                                                                                                                        MD5:9D2ACE1AA982BC225B578121C5C2F666
                                                                                                                                                                                                                                        SHA1:44A5F15565CAFE89AAD5AEB5AA7439AD18B70461
                                                                                                                                                                                                                                        SHA-256:66D62CA3B40E51E98FE11738E467405AA9A0BBEB14671F2FF158A830E87C6D57
                                                                                                                                                                                                                                        SHA-512:7C31721AF889403180240A9C68C1DCEEA8EB94C9C3E903CD9258E31E784AD8C62D9DDD372E78F5FB9A581DE68AAC9DCAE5C6C466894670EA27A21DAB3758C602
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L... .F..........." ..0..l............... ........... ...............................c....`.................................?...O....................t..((..............8............................................ ............... ..H............text....k... ...l.................. ..`.rsrc................n..............@..@.reloc...............r..............@..B................s.......H.......$W...u..........@...X...........................................V.(......}......}....*..,..{.(..........,..p .@..(................s....(....*.~.......~....(....~.......~....(....*..0..........~.....(.....{.....{...+..(......{.....{3.~.....3..{.....p3.s>...s....%.o ...%.o!...(6...*.{.....{3"r...p.{.....{.....r...p.("...(#...*...0..$.......s$....o%...(&...o'...((......&.....*.................0..6.......r...p.().....-.r...p..q...(*.....q.....(+......&...*.*..........//..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432
                                                                                                                                                                                                                                        Entropy (8bit):5.0141792226861375
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdGzNFF7ap+5v5OXrRf/2//FicYo4xT:JduPF7NhOXrRH2/d9y
                                                                                                                                                                                                                                        MD5:8F6EB9E75E6A6F0C0D58FB697C10CEDF
                                                                                                                                                                                                                                        SHA1:6944935DFDC33E0C6DB26869BF25EDA85A2622D8
                                                                                                                                                                                                                                        SHA-256:E2B8677434501735FB0233ED0CC2FFEE5BF6FB4387C51DBCB2585A70E42E4F08
                                                                                                                                                                                                                                        SHA-512:A946252B2E3705EAE751A2672D4ADE1499ECEB28C48B4BE6150C4201EE20A7B9A4450C75E06B07F5DAA3528041A566931D988FBD0C2EA90240D61008895BA44A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215080
                                                                                                                                                                                                                                        Entropy (8bit):6.030450621120585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:N1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7so:8Izm6pOIgvr7R
                                                                                                                                                                                                                                        MD5:A60919C8F8E65F7518286F804E54DB5B
                                                                                                                                                                                                                                        SHA1:9FADD4B771F00E87FF3DDD6C2B3A6FD25A1DBBF1
                                                                                                                                                                                                                                        SHA-256:FEB7575C2D9205C20A4526F60BB69CD631088927B6E58DD59AD561C792122803
                                                                                                                                                                                                                                        SHA-512:93517F2B5475BFD58986620538EF059C1532C2D653BACF8B67FF9A58D2F193F2A4A2338A27E2A0FAA51FCC88CF648BFDACAB261BA4BCF51A73BC815C83266DC8
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ...............................x....`..................................'..O....@..t............ ..((...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):398888
                                                                                                                                                                                                                                        Entropy (8bit):6.13428794433901
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:+jS6t1sm5LldNolZIkImcTi077Keb0wi0Lcr4so8mysKTqRjMnM6/Zmvu:++e55LgIkTmyAAfTnMLvu
                                                                                                                                                                                                                                        MD5:2B53A3CD189BF49E88B602C15418EC29
                                                                                                                                                                                                                                        SHA1:FA3D80250D1F3BD34331FB6FBF7DBEEC7D50DEF7
                                                                                                                                                                                                                                        SHA-256:013A5EE19F0E3EC57CD77B7D6D85EB7C5F8CC9E631E6D04388EA83BF0F307DC8
                                                                                                                                                                                                                                        SHA-512:1221C8961F330B3F50A6DA56ACD54EDEC82E38843C3E2470DEB5F25A62E21927CEF688260221CA277C151B1C5266B841D7F1EB54EFD7C4C2036ECAD72624FDC7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ... ....... .......................`.......`....`.................................v...O.... ..................((...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H...........P...................$.........................................{)...*..{*...*V.(+.....}).....}*...*...0..;........u......,/(,....{)....{)...o-...,.(.....{*....{*...o/...*.*. S]G. )UU.Z(,....{)...o0...X )UU.Z(.....{*...o1...X*.0...........r...p......%..{)....................-.q.............-.&.+.......o2....%..{*....................-.q.............-.&.+.......o2....(3...*..{4...*..{5...*..{6...*..{7...*..(+.....}4.....}5.....}6......}7...*....0..k........u......,_(,

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960710652636906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:jBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUH:jBjk38WuBcAbwoA/BkjSHXP36RMG6
                                                                                                                                                                                                                                        MD5:2E417388C1A053781655B4F14909216F
                                                                                                                                                                                                                                        SHA1:7EEA1424B92A3CDA918D9364557CEC4954397663
                                                                                                                                                                                                                                        SHA-256:C887F1417108311D77C8CF6E2DB1D95337ADE1E1BF95E0813EF5A4B8FE92110E
                                                                                                                                                                                                                                        SHA-512:472B5ADCE66638E5FB5A77D686CC0E492BF61556F6B878CFA74FE83D817B8BD057550806B504EA29A2BE91D3C8795B089DFDC83ACA8660B59DAE0180721E1E67
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... ....../w....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):154664
                                                                                                                                                                                                                                        Entropy (8bit):5.990387112012148
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:Z4wM6OoRu7qywKsqxhDuPr5xJMnOfMAw3TkHjt0QQNOWIkHUsz72otHA3d:Z4wZywKn/U5xEwKIk0Wm
                                                                                                                                                                                                                                        MD5:B945BFFBD7FE6C1B5CD7572EB64FBE88
                                                                                                                                                                                                                                        SHA1:8FCC3551664ABB2D870DDFF456F43110BD0B8765
                                                                                                                                                                                                                                        SHA-256:55CD1DED0A3241E59E8F4DB1D97F3805C2AEA17AAB1AC070BCD7B3608201B751
                                                                                                                                                                                                                                        SHA-512:3F7B120800547C96F1C1355ECBC566984775637589D3FA26AAA7F526DF2F6ADFA670F5E17A11BA00C1E2E0ED6CFEC20BDEE7408EA9BFB1292DA84402D321C443
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...}.b..........." ..0..*..........6&... ...`....... ....................................@..................................%..O....`...............4..((...........%..T............................................ ............... ..H............text....)... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............2..............@..B.................&......H............D...................$........................................{....*..{....*V.(......}......}....*...0..A........u........4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. R..0 )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q.........-.&.+.......o ....%..{.......%q.........-.&.+.......o ....(!...*..{....*"..}....*..(....*:.(......(....*"..(....*f.(....%-.&+.(b.....(....*..(....*"..(....*...0..%.........("...(#...($....#.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):22056
                                                                                                                                                                                                                                        Entropy (8bit):6.670013589446811
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:4rMdp9yXOfPfAxR5zwWvYW8aznNyb8E9VF6IYijSJIVxAw89:4rMcXP64LEpYi600
                                                                                                                                                                                                                                        MD5:941F9C846BA51963D7C3EA4013BBB798
                                                                                                                                                                                                                                        SHA1:BD5EC38B867EA815F89B9C097EE6CAEDED412398
                                                                                                                                                                                                                                        SHA-256:4201A3647C90EA19E6725F458C6236B5E3683D4BEC6FCBB785263DCC1E85D040
                                                                                                                                                                                                                                        SHA-512:3E2F8371ED5E19FE80D7FCCBBE17D109C684FBAC465C6BB1D3C111B31E18F29B8067A9B5BD9AE5EE2F8621DA8E6ADB397382DC4EB27D0CA37B6A1E479CDD81BD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0..$..........BC... ...`....... ..............................y.....@..................................B..O....`..@...............((...........A............................................... ............... ..H............text...H#... ...$.................. ..`.rsrc...@....`.......&..............@..@.reloc...............,..............@..B................$C......H........'...............?..X...8A......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*B.....(.........*R.....(...+%-.&(!...*^.....("....(...+&~....*.s$...*"..s%...*..(&...*.*....0......................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):420392
                                                                                                                                                                                                                                        Entropy (8bit):6.10961231240474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:v5douWvsWkOfjL/MEd6/7vfA8SCW1nFNFfcaFeFOFwcGF6cmFWc0FWc8cIcKcUF1:vpjblhW1V
                                                                                                                                                                                                                                        MD5:D8C8189A5DD97106CCEBA79018923673
                                                                                                                                                                                                                                        SHA1:007AA2E568044189342BD978402651407B2A48A3
                                                                                                                                                                                                                                        SHA-256:C84CA9E85E70A5E633154275FBA1A493CF6BF69B5E6004004A957675C750B56C
                                                                                                                                                                                                                                        SHA-512:3B47301F035FF31CA9B2B2E516DFDFC9BCE210245BA7F1488BD19432100936B959182FE4C29109D962ABA133C6B2010BDCFA5CF70678FAF928F914E370C66BCB
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....d.........." ..0..8...........T... ...`....... ...............................S....`..................................T..O....`..p............B..((..........XS............................................... ............... ..H............text... 6... ...8.................. ..`.rsrc...p....`.......:..............@..@.reloc...............@..............@..B.................T......H........X..\V.................R......................................:.(;.....}....*..{....*:.(;.....}....*..{....*...0...........~<...}.....r...p}........(.....(.....(.....r)..p.(........(u.....~<...(=...,z.....s....}.......}.......}............{............%......(>....%...D....%...!....%...%.........%....%.........s....(B...*vra..p.(....,...}....*..}....*..{....*vr...p.(....,...}....*..}....*..{....*z.{....,......(>...o?...s@...z*.0..(........{....-..(......o....&....(j

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):64040
                                                                                                                                                                                                                                        Entropy (8bit):6.266720718777246
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:FYDFPV3uv9niVSmzPFX8lpJ6TJPe4TW9Lvu2perEuaRtIvqUl1FHEpYi607zlDW:FKC9niwOepJ6TJPeb6NIUFg76KzI
                                                                                                                                                                                                                                        MD5:54BA7A33F778C14C858F8478AA7CE11F
                                                                                                                                                                                                                                        SHA1:287A7666FE9DE62906A17853AF367E9C280EE047
                                                                                                                                                                                                                                        SHA-256:81242FBCCD00F783E4CB57D7A77720E0D361609B9E3443F1F4FBD53549180CF5
                                                                                                                                                                                                                                        SHA-512:7582EE39AF42C9C8355B4A66C299A6F51061C5ADE5CBFA2A0DA07D8D3898E30A227CFAFA976630D8EDE2638F48E63E2D8A4150E9CB4C6CCD94315094EAA62B7B
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....[............" ..0.................. ........... .......................@............`.................................k...O....... ...............((... ..........8............................................ ............... ..H............text........ ...................... ..`.rsrc... ...........................@..@.reloc....... ......................@..B........................H........[..h...........(.......0.........................................{#...*:.($.....}#...*..0..#........u......,.(%....{#....{#...o&...*.*v ..yN )UU.Z(%....{#...o'...X*....0..M........r...p......%..{#....................-.q.............-.&.+.......o(....()...*..{*...*:.($.....}*...*.0..#........u......,.(%....{*....{*...o&...*.*v ..:. )UU.Z(%....{*...o'...X*....0..M........r-..p......%..{*....................-.q.............-.&.+.......o(....()...*..{+...*..{,...*V.($...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):142376
                                                                                                                                                                                                                                        Entropy (8bit):6.160884096361585
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:vUGrszKKLBFa9DvrJGeesIf3afNs2AldfIlqk:2BFd3/aFs2x
                                                                                                                                                                                                                                        MD5:7B46A38CB34CF7129A501D114EED91A7
                                                                                                                                                                                                                                        SHA1:FE284056CDF1079D4AA46EFA0EEA09DC158671D8
                                                                                                                                                                                                                                        SHA-256:0AEDF8E33279A9A9F026EF5000919A1BA38F105B0C3CEE7F6AC3628E1CE441EC
                                                                                                                                                                                                                                        SHA-512:B16BE5B7DFAE0AE5455976B0353D7368FBB080BA4DC85CA4FD56FA01C64DE5E7572196A16992C259C1442EA2D30F212E8D08F7D8F258ADACFBF9D3014CFC2394
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....jM^.........." ..0.................. ... ....... .......................`...........@.................................X...O.... ..0...............((...@...... ................................................ ............... ..H............text........ ...................... ..`.rsrc...0.... ......................@..@.reloc.......@......................@..B........................H........,................................................................('...*>..}......}....*..{....*..{....*..{.....{....3..{.....{....((...*.*..0...........%.u....,..........(....*.*z.{....%-.&.+.o)....{....(a...*..(....zN........o*...s+...*.(....z.s,...*..(....zF(U....(O...s-...*.(....z.(V...s-...*.(....z.s....*.(....z.s/...*..(....zN........o*...s0...*.(....zrr...p(\....c.K...(O...s1...*.(....zBr...p(Y...s1...*.(....z.s2...*.(....z.(X...s3...*.(!...z.(_...s3...*.(#...z

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):110120
                                                                                                                                                                                                                                        Entropy (8bit):5.510686089319165
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:gPOw0SUUKw+GbgjMV+fCY1UiiGZ6qetMXIAMZ2zstK/Yb76k:gWw0SUUKBM8aOUiiGw7qa9tK/Yb/
                                                                                                                                                                                                                                        MD5:0AFC00C0FABFB019074DA907FE70317A
                                                                                                                                                                                                                                        SHA1:B6F8FA76424F44B0EA2FB54A17C84628CDB9B22C
                                                                                                                                                                                                                                        SHA-256:75D8D4D4C7FDCDABC5FBFF18935783A23E0951897B9990339C1B2ECA82F90BAE
                                                                                                                                                                                                                                        SHA-512:43563466B6A356B70717CA53C71D33165B646CA3C6E5771BEFBD08DBA611E791690A0BCEF6F9B3F773265C5C0177BF723046D05C7B18999D0F59C6797D55B8E0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0..v............... ........... ..............................B.....@.................................f...O.......................((.......................................................... ............... ..H............text....u... ...v.................. ..`.rsrc................x..............@..@.reloc..............................@..B........................H........Q..|?..........$... ...D.........................................(....*&.l(....k*&.l(....k*..l.l(....k*..l.l(....k*&.l(....k*&.l(....k*&.l(....k*j~....%-.&(....s....%.....*..*.0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2rG..p.(....*2r...p.(....*2r...p.(.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):17960
                                                                                                                                                                                                                                        Entropy (8bit):6.673799804528098
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:/h06sbbVVPWU2WYNNyb8E9VF6IYijSJIVxeB1evuWj:/y9gpEpYi60A8
                                                                                                                                                                                                                                        MD5:3699832767ACE8B12E18E10C5ED33469
                                                                                                                                                                                                                                        SHA1:1500E3F31786CB63AB2D5FCD71542D24829B9C6A
                                                                                                                                                                                                                                        SHA-256:FA9B02A2EDB45564D38EAEC7C85AAE9B2B6D6A04BA32FEAA771C0812DC85EE79
                                                                                                                                                                                                                                        SHA-512:2FC97EC4F1FA5486C98FBFF3612BE4AA43D774BC5CD961AB7036F3AB067E4771DEA73FDA22B191B65B3362196FC958FBF1279B2BC4A5D4C1346335D30A5BC333
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._...........!.................3... ...@....@.. ....................................@.................................@3..K....@..................((...`....................................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B................p3......H........$..0...................P ......................................._.%c......=.n')...(v..:}.d...3...B...).. .:Q(....L.jt....}Xv.b7y0r.[..$.....q..c.6.....p..2..qHv/.pb.=..9.o"z.. 0P.t%H....U...0...........q....*..0..............q....*...0..............q....*...0.................*.0....................*..0....................*..0............q.........*....0............q.........*....0............*..0..........*....0................*..0...............*...0..............

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):19496
                                                                                                                                                                                                                                        Entropy (8bit):6.524234329265897
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:LyPa16oAL4D+wW9IWmDIW4IWYDa9Nyb8E9VF6IYijSJIVxFZJr:LWs6oqDjADKeDa5EpYi609r
                                                                                                                                                                                                                                        MD5:84E608824D1DE2D0CC7B3C7072F86CAE
                                                                                                                                                                                                                                        SHA1:57A2B02945E478CBC0EA3DBC7CF4041762718EB1
                                                                                                                                                                                                                                        SHA-256:D2163CA69AA96A2DD6277CDF6BB1990758C677EF7259255995E448F18E1ACA99
                                                                                                                                                                                                                                        SHA-512:09E53F0546218D07C79E8436504097176910A909DD39814A062F19522B33334754F8BAC9F2BB03AC785B9E2463F3E24C12376A601642BC83BCE26D285AE19738
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?.Z.........." ..0.............b2... ...@....... ...................................@..................................2..O....@...............$..((...`......x1............................................... ............... ..H............text...h.... ...................... ..`.rsrc........@......................@..@.reloc.......`......."..............@..B................B2......H........!..T....................0......................................j~....%-.&(....s....%.....*..*...0..$.........(.....o.......&...,....o....,..*.*..................,!(....,..r...p.(....(....*..(....*.*.(....,.r...p......%...%...(....*..(....*.(....,.r...p......%...%...%...(....*...(....*.(....,!r...p......%...%...%...%...(....*....(....*.~....*2r...p.(....*2r[..p.(....*B.....(.........*.BSJB............v4.0.30319......l...4...#~..........#Strings....t.......#US.@.......

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):41512
                                                                                                                                                                                                                                        Entropy (8bit):6.409217717758582
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ljfAw5tisN7Mkvwtwq6uUQ/B0X5tl9wCVjkz3pVS3UpoztjxFUNyb8E9VF6IYijW:lksN74GX7nwOa5VS2ozdxFUEpYi60SXr
                                                                                                                                                                                                                                        MD5:5E0E85A164AA504598B5121AE6B33F4F
                                                                                                                                                                                                                                        SHA1:C2372406F7131D72376CA55B28788049A6FE8EB6
                                                                                                                                                                                                                                        SHA-256:DE2BE1CFE0E784D1FA5FAAF35C6671EA8FE50DC261562570415374DC75D77FB7
                                                                                                                                                                                                                                        SHA-512:3B19E86CCDAEB4F5F4ABDF32EAC26708C2B01C6D6DBABCE318E31C0E882C086DB6E76730DE4853302D768E2F4FBB0457347BA4D5642EBB512F14A4563D9B7AF4
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0..n..........r.... ........@.. ...............................@....`................................. ...O....................z..((.......................................................... ............... ..H............text...xm... ...n.................. ..`.rsrc................p..............@..@.reloc...............x..............@..B................T.......H........!...............1..@Z............................................(....*.~....-.r...p.....(....o....s.........~....*.~....*.......*j(....rY..p~....o....t....*.~....*..(....*Vs....(....t.........*.(.....(....(......,....s....o....*(....*.0..........(....o ...rm..p(!...(".....'...%.. .o#......i./..|s$......)...(.......(%....)...o&.......o'......i.0..+....o(......i.0..+....o)......i....+....o*...s+....o,.....,..(-.....&..*..................0..........(.... ....`(/.....&.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1547
                                                                                                                                                                                                                                        Entropy (8bit):5.008195800038022
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdsIOvPF7NhOXrRH2/dVxlPH2/FVQ7uH2/FVruH2/+mV0PH2/+w39y:3sIk7O7RgdjdgFSagFgg+msg+w3w
                                                                                                                                                                                                                                        MD5:029F543956E8B235A70112C77912150A
                                                                                                                                                                                                                                        SHA1:8F8916C78D9D3E5F92C37BDD39D34CD3B79BECA6
                                                                                                                                                                                                                                        SHA-256:33720B1985FE3F07F13744963085FA641F452EC393C3C8987A6023D0BC493BD1
                                                                                                                                                                                                                                        SHA-512:CF6EF25E7FD7E0B04A4F76B1552621874DAAA43838D0C028E62D1AABFFCD57AC7086A174BE9D5AF283DE8E8F09B5B40505478978102A1D8351681532B3828A38
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):78888
                                                                                                                                                                                                                                        Entropy (8bit):6.0692535230722235
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:r7gzIBxkogIFNU1vTGGsUTcvMOkrIB76hB:rRBxnP25sUTcvwrIBk
                                                                                                                                                                                                                                        MD5:A9F0A629B9676577360E342A81A995AC
                                                                                                                                                                                                                                        SHA1:1877BB7196654D65EB536CF5785F9EA45C92C2CD
                                                                                                                                                                                                                                        SHA-256:01E666A5B281C046830567860D3BBB7BF7FA57A991937BAE0F0F229ABCE0CDAF
                                                                                                                                                                                                                                        SHA-512:34FF88D512AA26332F3497173217E2070F245E132C9ED66EE07F97CBCA0CB3BB133831E2B12AE8472240175BF0C60DCD4A30B83864AEDF505C1D7CEFEDAC16CC
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...3./..........." ..0.............>!... ...@....... ..............................VC....`.................................. ..O....@..................((...`......4 ..8............................................ ............... ..H............text...D.... ...................... ..`.rsrc........@......................@..@.reloc.......`......................@..B.................!......H........X..h............................................................0..........(....(.....r...p... .....r...p..(......o......(.....o......(.....o..........s......[o......s....%.o........o .....s!..........s"...%......io#...o$.....o%...(&.........,...o'......*......y.,........0..........(....(.....r...p... .....r...p..(......o......(.....o.......((.........s......[o......s....%.o........o).......s*..........s"......i.k...........io+.....(.........o,.........,...o'......*.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):953
                                                                                                                                                                                                                                        Entropy (8bit):4.9874198404771155
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVxlPH2/FVQ7uH2/F9y:327O7RgdjdgFSagFw
                                                                                                                                                                                                                                        MD5:8C9F9547ABA4CD154FAA858695986C4E
                                                                                                                                                                                                                                        SHA1:667630B8AEA31C20C20EE569983B73028F0DBA21
                                                                                                                                                                                                                                        SHA-256:7DE06E53089587194D3669B5F2050B363CC2AC1BC66F0537EC4D7AD94357D46F
                                                                                                                                                                                                                                        SHA-512:C305E923A197E2C39813D423FE50D94F183E932BCC66DBEE5667AD7F4083254D50510E35ED3603555FEB4C42F580C8A1FA3D1568CC7305D22B79AB406607F836
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config (copy)

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):350760
                                                                                                                                                                                                                                        Entropy (8bit):2.9056808142849144
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:eO11uSb/jb5JEH8VAynnnnnnnnnnnnnnn82cB:55M
                                                                                                                                                                                                                                        MD5:7F124B21745B25F3F012A455BE67E4BA
                                                                                                                                                                                                                                        SHA1:DB9F15D7230544B804E6B705E2186655E1890C85
                                                                                                                                                                                                                                        SHA-256:D23D9977B25BC0AC9713DE0CAAB77A4B089D80D513DA9F373BA76795A0188E0C
                                                                                                                                                                                                                                        SHA-512:0092A8554A89AAB856CAB81490EED10E38F374F7E3556623E96715066BA1A6549F33218E5E600652B1D06559B6A617A08311D8BB687D22BC65253DECA9B6CF14
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....Eg.........."...0......d......>.... ........@.. ....................................`.....................................O........a...........2..((........................................................... ............... ..H............text...D.... ...................... ..`.rsrc....a.......b..................@..@.reloc...............0..............@..B................ .......H........*...%..........TP..`............................................0............,t.....r...p(....-..r...p(....-..r...p(....-)+G(....(.....p...(....,.(....+*(.....X...(......,..(.... ....(....+..8...s.........(.... ....`(.......(....rA..p(....rQ..p.%-.&.+.o....(....(......r]..pry..p(....( ...(....,......(....,......(!....("...(#....o$..........s%...(&...(....%(....('...r]..pr...p(....( ...((...s)........~....(*...r]..pr...p(....( ...((....C..r...p(....(+...((...(....rA..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1786
                                                                                                                                                                                                                                        Entropy (8bit):4.998101412964689
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:3sIk7O7RgdjdgFSagFgg+msg+w3Zg+wBw:8TizwzH
                                                                                                                                                                                                                                        MD5:DACBD4EDD0163701F63ADA3E81D8540E
                                                                                                                                                                                                                                        SHA1:219647896B3575AA8A07E2903D50304919C27CA7
                                                                                                                                                                                                                                        SHA-256:DF0FBC7B2A5449681549C81B7EB77B2CE8D3C0C62244C39442A73A0291124BCB
                                                                                                                                                                                                                                        SHA-512:5C725DEE661DF9FFE6D3723606FAF98F0B16094DAFC011CDE062436B351671E952A2C6CFA218E08785DBC2E69E97EC8218E1447683C1450C5BF9CCDC75C2EA73
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>...<startup>....<supportedRuntime version="v4.0" />....<supportedRuntime version="v2.0.50727" />...</startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAss

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):59944
                                                                                                                                                                                                                                        Entropy (8bit):6.132505617622881
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:56O442hHI1kIHLxnuFjBm+UuLcxVePk+CXVT+rB9ezGREpYi60B:56O4JuxnT+UuLMcBClyrvGGa76w
                                                                                                                                                                                                                                        MD5:80D52CC0CA6E0A24C65C0EC6E1D04245
                                                                                                                                                                                                                                        SHA1:1A364154797C2F233111CA4E431CD5F169BCC5C6
                                                                                                                                                                                                                                        SHA-256:A6CD8C4F007327C2B3E5E9772C086139FE7C0208BB17FDFC63B78FC7C639DF77
                                                                                                                                                                                                                                        SHA-512:16E0E7013DA0059137C4CF0436694EBEB98377F1870E976A108DD22F37B6C73033C38722103DBD97F0AC12DA99E31D51B7114B9F7E70FA56F11A1F29B6EC40A5
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ....................... .......s....`.................................m...O.......................((..............8............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........X..0.............................................................{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(....*..s....}.....s....}.....(......o8...(...+}....*..0...........{....o.....8......(.....s.......}E.....u....}D....{D...,........s....(....&+ms.......}G.....u....}F....{F...,........s....(....&+8s.........}I......u....}H.....{H...,.........s....(....&..(....:J.............o.....*.................0..I........{....o.....{....o.....+...(

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1191
                                                                                                                                                                                                                                        Entropy (8bit):4.971943087661362
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JduPF7NhOXrRH2/dVQ7uH2/FVxlPH2/FV0PH2/+w39y:327O7RgdSagFjdgFsg+w3w
                                                                                                                                                                                                                                        MD5:B8E88B1C181AFEB535BFEA1155000E8E
                                                                                                                                                                                                                                        SHA1:EB9066E96542DCE5F35DBF2F1424FD79ACEBB65F
                                                                                                                                                                                                                                        SHA-256:5D094CC46FED5173A2B1BE4C8E5DBDB658D2C14ABD367C47DFC6F6EABD5F295C
                                                                                                                                                                                                                                        SHA-512:58459651D3358FDDD4114AB569786A2306338C08D27D3D449BE2084EAE9D4A619C5650D3699DCA6702AEFDE8F9E77FD9E56C87EF51D4A8CCB2A22A378C488C37
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Runtime.CompilerServices.Unsafe" publicKeyToken="b03f5f7f11d50a3a" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Diagnostics.DiagnosticSource" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-5.0.0.0" newVersion="5.0.0.0" />.. </dependentAssembly>.. <dependentAssembly>.. <assemblyIdentity name="System.Buffers" publicKeyToken="cc7b13ffcd

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):23080
                                                                                                                                                                                                                                        Entropy (8bit):6.500983361117223
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:ALOGTOwM15TRwLm6or29Nyb8E9VF6IYijSJIVxyyNllq:AnMTR0Pa25EpYi60tlq
                                                                                                                                                                                                                                        MD5:677BF5CBCE3B4A8E2B35714DB3EC89D4
                                                                                                                                                                                                                                        SHA1:6317DA7E6DC45CDCE30BCC1AE8FA9DF391B954BB
                                                                                                                                                                                                                                        SHA-256:E10B0E751A752F746305959D765E649BD49B73670BECE4DA5C9ACA549B2E8A08
                                                                                                                                                                                                                                        SHA-512:A80A740E0F314F8A44B6698BDD0465C511140796BEE87990695C61F88A45C5A4290B141D1606447D539E7F18784972AC787B73679AE68A79E46C056FA0C78FBD
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....\.\.........." ..0..(...........G... ...`....... ...............................S....`..................................F..O....`..L............2..((...........E............................................... ............... ..H............text...4'... ...(.................. ..`.rsrc...L....`.......*..............@..@.reloc...............0..............@..B.................G......H........)..$............................................................~....*.......**...(.....*...0...........~.....o......,..~.....o......+i.s(...%.o.....%.o.....%.o.....%.o.....%.o....o ....%.o....o"....%.o....o$....%.o....o&.....~......o........+..*..0............(.......o....o.......o%...o................o!......(....}.......o!......(....}.......o!......(.....o#.......(....X}.......o!......(.....o#.......(....X}..............s..........%..o.....#....%........o ...&*...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1817640
                                                                                                                                                                                                                                        Entropy (8bit):6.551345291101956
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:B9EeNSPwEW3cFSI4Tfm3hvbHsjAJcAMkP4:B9Nzm31PMo4
                                                                                                                                                                                                                                        MD5:1CDFFBCDDE48DD0DF288177F4A36E201
                                                                                                                                                                                                                                        SHA1:70F1740086944DC3551401C54834746BC88B4FB3
                                                                                                                                                                                                                                        SHA-256:FBC738BCA1208ECB4FE086F0C100B746644375BC838CF925DE0AADCB9A0DAEEE
                                                                                                                                                                                                                                        SHA-512:D3903FA3A98F8DDD34C39C9A091285E343AB8FD961EEF130926E2B4E165398263D45D7127DB6E6450560F3CB91A239A39DACB4B8DB2787762E17666DB7AF1B2D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........nN\.. ... ... .Q..... .Q...e. .Q..... ..Q#... ..Q%... ..Q$... .8..... ..].... ...!.~. .rQ(... .rQ ... .wQ.... .rQ"... .Rich.. .........................PE..d.....d.........." .................................................................P....`.................................................P...x................!......((...........@..p............................A...............................................text...0........................... ..`.rdata...1.......2..................@..@.data....`... ...J..................@....pdata...!......."...P..............@..@.gfids...............r..............@..@.rsrc................t..............@..@.reloc...............~..............@..B................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1436200
                                                                                                                                                                                                                                        Entropy (8bit):6.781311333719278
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24576:Ls5ThI+vIjDEzn7tcBGtYnxLbdVlRdouD5RawYkGq78Yr4i9YE1tOvhefHXCvEsZ:WlI+vIjE7mjOuKa8Riy+gvhaIn2+0+
                                                                                                                                                                                                                                        MD5:F31A6B9883F1835F9FB5CB9FB3B877E4
                                                                                                                                                                                                                                        SHA1:2C1DCF590151D9EEE2E34C78C9A9D6AE1517C3C1
                                                                                                                                                                                                                                        SHA-256:B06ABD1357A5D0111C380520A29E93D648632F240090756C61FE9BE9B518B02D
                                                                                                                                                                                                                                        SHA-512:171F9DC37C29508AF911764530286B2AA19731820F0C39B34F063B0E4C4EF16B501763BD32BA2C126CCEF88F89E3140D26A73B67C54AF1036E14049D95CC94F0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v..{2..(2..(2..(.*W(...(.*U(...(.*T(...(..)%..(..)'..(..)=..(.Im(:..(,.5(1..(2..(...(..)3..(..)3..(..Y(3..(..)3..(Rich2..(........PE..L.....d...........!.....f...X............................................................@.........................P...t.......x....`..................((...p..X...@...p...............................@...............H............................text....d.......f.................. ..`.rdata..............j..............@..@.data....8.......,..................@....gfids.......P.......&..............@..@.rsrc........`.......(..............@..@.reloc..X....p.......2..............@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):584433
                                                                                                                                                                                                                                        Entropy (8bit):7.9996007806235445
                                                                                                                                                                                                                                        Encrypted:true
                                                                                                                                                                                                                                        SSDEEP:12288:AaPKah+cOqB7YBiq57hmRYB2Vb7mde3FV/ruWIwUhA2yaJ4Gi1Cx/cL:xiBiqIYQF7/7ruQWA2Xxi1wS
                                                                                                                                                                                                                                        MD5:B50834694383960830CF48D9836E1108
                                                                                                                                                                                                                                        SHA1:ADC80813181B98A8296BEFA2960A55F939F3BFEE
                                                                                                                                                                                                                                        SHA-256:370A259808052366888284B0CC4C91FF8F23E8008003959B8D0EFB1ADBF00CD6
                                                                                                                                                                                                                                        SHA-512:F87BE933E87275B000BE031AA5DF7536DFD5FE9B99A607CE0904F206E074D3A0687A00654B9B78EDAA2FCCF3D30526E0EE5BD7DCBA4A5DAAFD6FC60EEAAA15C5
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:PK..-......FgY...........5...AgentPackageUpgradeAgent/AgentPackageUpgradeAgent.exe....(.......ch......75d..........z..L.....5...*...S.'.?...h.6..Eo....."y......5...z_...y..&....L..ZZ6.....=U...f...JYj......../..~.%......1,=....,.J....eG.=.i..G..I ..6m~.GO...............E,._&;>o.........{....@..Z.S......]....HS..TW...b...#Rh..H...p.|.A_..Q..NZ4`3a.....DE[.!.7.!.......@..]..ja..P.)..C...!g..UUG.........../..uW.&...!g..G.kv.z]C.-..p.....J..j.1".M..Wt.-x_.....&.g.k....Dc.}$".M....=..:......X?..i.peV..'.."-....e)0..'..D....v...1..1..g..X[...`....y....a...R...BE..:!.%{...v.:.K.#h.u..W..L.l..:.M..DXd.&.}......$.........:....D|t3......Q...&.".3>.@.....H.^.@..2. ..../.Y.............np....G.GU\......6.]i(.E).Z?yj..?V.Q.Q2.. ..q .Z4HN...W......G_.E*v3 ...A...4.....r...z..r..3~..i^..Qvj.:O*:.....+...>s&H.d..sF....V.8.~.'*......6..i......<....ol.($....8.E..s.....6...]WF!]P.I...\/..$....Q.4...r.b4S.Z.$..h....Y..5....v..n.2.K.w......(..?.UH..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):57896
                                                                                                                                                                                                                                        Entropy (8bit):5.807323990997079
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:rNvSjQvTQYc1IY1OwcujXQft0k5df9bq76In:rRSjQvMYcSIJcuMftH5d1bqL
                                                                                                                                                                                                                                        MD5:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        SHA1:293CAE66CEDBC7385CD49819587D3D5A61629422
                                                                                                                                                                                                                                        SHA-256:0568E0D210DE9B344F9CE278291ACB32106D8425BDD467998502C1A56AC92443
                                                                                                                                                                                                                                        SHA-512:1A3C15E18557A14F0DF067478F683E8B527469126792FAE7B78361DAD29317FF7B9D307B5A35E303487E2479D34830AA7E894F2906EFFF046436428ADA9A4534
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....,g.........."...0.................. ........@.. ....................... ...........`.................................<...O.......x...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...x...........................@..@.reloc..............................@..B................p.......H........X...s...........................................................0..Y........o.......+C......o......r...p.o....t)...r...p(....,.........,..o.......&....X....i2..*..*...........$;..........8G.......0..#.......~....r/..po.......(....}.....{....(....,.rw..ps....z..{....o......r...p.o.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.....r...po.......r...p.o....t)...}.....{.....(....,..r...p..o......}......}.......,..o.........5.,..o......,..o......,..o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):535
                                                                                                                                                                                                                                        Entropy (8bit):5.076084597400077
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:MMHdG3VO3rdZRLNFF7ap+5v5OXrRf/2//FicYo4xm:JdfrdDPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                        MD5:D505E3DE03F172FA2B246E210054C5F7
                                                                                                                                                                                                                                        SHA1:F5A480F56F760EEBA3B29108387E54D70A721127
                                                                                                                                                                                                                                        SHA-256:A568F933F09B1AD1EE5E88DDCFFA1FE5921D18B73477136E1FAEE55F2BEF399A
                                                                                                                                                                                                                                        SHA-512:80F01447B43525DBDF5B283522FE14D9AECEF16E55EA3FE36DC0A94B53C49E03BB56136F0911C348FB78FB5AF6112B1DE7C38CBFFBD73ACB2971655EF1B2B859
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):12
                                                                                                                                                                                                                                        Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:WhXSnn:WBe
                                                                                                                                                                                                                                        MD5:39DF0BC698F203A4FEF18A68A7B0EADC
                                                                                                                                                                                                                                        SHA1:0EA8D556AF659E0C8D6406B5B3E7E56EE6A10188
                                                                                                                                                                                                                                        SHA-256:F8DD3CEC3612C302B45EA9539002625E58E528A5CB68B4B0E6C3C2A378122C1A
                                                                                                                                                                                                                                        SHA-512:E6FF51381293BFD52EAE39B9868968A76D94BC993BAD5566C532A30E5EE5FE121C2F5B8EAED7ACEE59E3F6B8C1B3BEBB53B07B46F572F3498B1800B0DEAC128D
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:version=27.6

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):96808
                                                                                                                                                                                                                                        Entropy (8bit):6.179305078416296
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:nJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762y9:nQUm2H5KTfOLgxFJjE50vksVUfPvO1c9
                                                                                                                                                                                                                                        MD5:BE16D0F73D33053C3817894C955BFA43
                                                                                                                                                                                                                                        SHA1:6B79C7034EE0E4DBC4B90ADC3B47BF395CAE052D
                                                                                                                                                                                                                                        SHA-256:434EA180FF3960ADF251CF34B8333A1BD70EAA7BDF42279317F2ECD7B7CCEAEB
                                                                                                                                                                                                                                        SHA-512:6F08EC35E1D194328CD923FC22C6BBAFB072497ABA03DAC59F8E78C99D2CC3C87237CC5178CFEBA52078AC729286B8221FD7A8CD676A5A49D2879C553DAB332A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ....................................`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):186408
                                                                                                                                                                                                                                        Entropy (8bit):5.933461189028906
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:mkfZS7FUguxN+77b1W5GR69UgoCaf8/BCnfKlRUjW01KyFxYV:g+c7b1W4R6joxfQ8Y
                                                                                                                                                                                                                                        MD5:7989DFD7A0AF54F59AD5C3E483A66CF6
                                                                                                                                                                                                                                        SHA1:4F323F2E5174A789A31068DD76355447DB61AFFB
                                                                                                                                                                                                                                        SHA-256:0E47E3F0432060BAE79988A622AAB4334328F85FE443D764D4C81D94C9F3DBAE
                                                                                                                                                                                                                                        SHA-512:757182DF2492B66E06AA3B1854DAB487BB512FC5FBCE869CA4265218F5889D2D5B3748C2FC5B458FA148D10F3F5B61028DCA9B789F6766689BA1A24E9BE06936
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...&..Z.........." ..0...... ......~.... ........... ..............................,Q....@.................................,...O.......................((........................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):331816
                                                                                                                                                                                                                                        Entropy (8bit):6.168523582236471
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:ZBhhiUWKJzPZNRntAXIjxs2f5Jg53XWlvidurmdIq8KmefViYkJTVBXi3VaKtNTk:ZDMUWITZznu85k8Wdn8KmCjIFi3VvY
                                                                                                                                                                                                                                        MD5:41E6FC15337B1F2F556E3DE56D0DB476
                                                                                                                                                                                                                                        SHA1:EF8EAAC6EF9B00383B48762773A5110D7C2F3EEA
                                                                                                                                                                                                                                        SHA-256:81D43F8C0726143F28A33390B78E540C75F48733C3518B9D605C2E52AC0554C4
                                                                                                                                                                                                                                        SHA-512:56956F6BBB56BF481B1434ADC0D37303065206FC4ECA8787B6EC8CD089D7C619875C62BBD282F5F0D9A69820937651968CC343CF5AE251B08345997BDD0555C7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.................. ........... .......................@......f.....@.....................................O.......................((... ..........T............................................ ............... ..H............text...<.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H............9..............H.............................................{....*..{....*V.(......}......}....*...0..A........u3.......4.,/(.....{.....{....o....,.(.....{.....{....o....*.*.*. ..<. )UU.Z(.....{....o....X )UU.Z(.....{....o....X*...0..b........r...p......%..{.......%q6....6...-.&.+...6...o.....%..{.......%q7....7...-.&.+...7...o.....(....*..{....*..{....*..{....*r.(......}......}......}....*..0..Y........u8.......L.,G(.....{.....{....o....,/(.....{.....{....o....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710184
                                                                                                                                                                                                                                        Entropy (8bit):5.960700401761297
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:NBja5bBvR8Q0TE2HB0WLmvXbsVG1Gw03RzxNHgKhwFBkjSHXP36RMGy1NqTUD:NBjk38WuBcAbwoA/BkjSHXP36RMG+
                                                                                                                                                                                                                                        MD5:2CFBB3EA34E3EAEFB478A1C0BF00190D
                                                                                                                                                                                                                                        SHA1:A9298FD5C46D97C296E06B9D9D4034C2EC657D57
                                                                                                                                                                                                                                        SHA-256:34FFBC77AEA4058D6B4EF621815B5C56EDD35585888FBCC2DE10E7B176EE3A3A
                                                                                                                                                                                                                                        SHA-512:DA46D62BB6466E9B8DF21E75C594C06CBF3D79C8FE6038469B74F6562CCA9B38A482F386034F7B3C0D9DEEA6C5D0420AFE0EA08E59B1BBDA1C07B866D9F0B352
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...p$?..........." ..0.............B.... ........... ....................... .......r....`....................................O.......................((.......... ...T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................$.......H.......x...(9............................................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):55848
                                                                                                                                                                                                                                        Entropy (8bit):6.238377987704794
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:SREoc0f5k1KlLoz0WOySMEpnSO7iX16UJKdiYpxDEpYi60WLS:SR8+5k15z0WBZEtgwJx876FG
                                                                                                                                                                                                                                        MD5:2FB2CD6CC7C0B40202165C2ACF27F3FC
                                                                                                                                                                                                                                        SHA1:D3125C28C46AD0083EA1EB65EAE6FA077908D985
                                                                                                                                                                                                                                        SHA-256:4E83AE51D18FABA26E8B1315C199AF46DF7A1AFB18390DB30337679DF54A7812
                                                                                                                                                                                                                                        SHA-512:C84CB5DE47798E6F0459BE87BCBA514FC14531F361909A2B81CFD6B477206B75C9F0F338C1477BF9A87BB7D08ACFEB99342EC5C9F1535F510BE742A27B5ED099
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....<V.........." ..0.................. .........c. ....................... ......s.....`.................................P...O.......H...............((........................................................... ............... ..H............text........ ...................... ..`.rsrc...H...........................@..@.reloc..............................@..B........................H........".................."..P............................................................................................0.......................0.......................................................................................0...............0...................................................................................................0...............0...................................................0...............0..........................................

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):753
                                                                                                                                                                                                                                        Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                        MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                        SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                        SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                        SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):7466
                                                                                                                                                                                                                                        Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                        MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                        SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                        SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                        SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):256
                                                                                                                                                                                                                                        Entropy (8bit):5.131703836237033
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Ae4KID189w3pKFSQ9sRLXHB//HlXVRRDE5lXV9RDX:/H4xMSQ9kDHB//tHREjfRX
                                                                                                                                                                                                                                        MD5:964AC8E41F2236F9933D76C84DDEE483
                                                                                                                                                                                                                                        SHA1:5A41BAAE53C6AA92392E1810C312AD0C7957B2B3
                                                                                                                                                                                                                                        SHA-256:80096F5F7C5CBE6895FDF3F87A44A6C5E70DE7D6EA31122168E62F826906D659
                                                                                                                                                                                                                                        SHA-512:FB32DEC9AE0DD5156B4EB4E26C24833C4536193C7965ED470E27DA3C1F715976F948C711EDF9AF5A6733F18FE94B2AB6E3A17AF9227B6F8C3B74326297E5E552
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=irina-pyankova1574@cyberia.pl /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000OMeCIIA1 /AgentId=9242d891-5551-462a-a31d-e7fa704b4ae1.17/12/2024 04:30:52 Trace Starting..17/12/2024 04:31:15 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):178
                                                                                                                                                                                                                                        Entropy (8bit):5.245835062430704
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3:5PbTsIboHsFrUMv2vC9sWs4UgMHDxZfg0yVqGWhcShTufrsf3J2MzqRI+OPkvOy:RbTpboMFpvwLgMHDrfsWJhTuj25rmRcK
                                                                                                                                                                                                                                        MD5:8CC275C280182D4165DEC7E06A95D793
                                                                                                                                                                                                                                        SHA1:DBF87F61A06F05D9668999B2C87E2977BE07753A
                                                                                                                                                                                                                                        SHA-256:70B991155B83714763FC6275045B28EA8E7AD7515E66E7861CAA743FBFEB8035
                                                                                                                                                                                                                                        SHA-512:166D83BA99FEC1700C8D004BEB036DF5A7356EB8C5F6A50F7656DA9EC37553063BD49E841DBB47ED024CEC07FB1E6B362731641E21C1420A75BC4E3C20049E7F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:eyJJZCI6ImNmOWZlZWNlLTcyZmItNGU3ZC1iMWRhLWJmZGY3MjU5YzY4MyIsIkNyZWF0ZWQiOiIyMDI0LTEyLTE3VDA0OjMyOjAzLjQyNTQ5NDItMDU6MDAiLCJNZXNzYWdlIjoiX0lOSVRfIiwiVGltZW91dCI6IjAwOjAxOjAwIn0=..

                                                                                                                                                                                                                                        C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):256
                                                                                                                                                                                                                                        Entropy (8bit):5.131703836237033
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:Ae4KID189w3pKFSQ9sRLXHB//HlXVRRDE5lXV9RDX:/H4xMSQ9kDHB//tHREjfRX
                                                                                                                                                                                                                                        MD5:964AC8E41F2236F9933D76C84DDEE483
                                                                                                                                                                                                                                        SHA1:5A41BAAE53C6AA92392E1810C312AD0C7957B2B3
                                                                                                                                                                                                                                        SHA-256:80096F5F7C5CBE6895FDF3F87A44A6C5E70DE7D6EA31122168E62F826906D659
                                                                                                                                                                                                                                        SHA-512:FB32DEC9AE0DD5156B4EB4E26C24833C4536193C7965ED470E27DA3C1F715976F948C711EDF9AF5A6733F18FE94B2AB6E3A17AF9227B6F8C3B74326297E5E552
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:/i /IntegratorLogin=irina-pyankova1574@cyberia.pl /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000OMeCIIA1 /AgentId=9242d891-5551-462a-a31d-e7fa704b4ae1.17/12/2024 04:30:52 Trace Starting..17/12/2024 04:31:15 Trace Starting..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):145968
                                                                                                                                                                                                                                        Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                        MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                        SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                        SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1442
                                                                                                                                                                                                                                        Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                        MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                        SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                        SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                        SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):3318832
                                                                                                                                                                                                                                        Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                        MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                        SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                        SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                        SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):215088
                                                                                                                                                                                                                                        Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                        MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                        SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                        SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                        SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):710192
                                                                                                                                                                                                                                        Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                        MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                        SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                        SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                        SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):602672
                                                                                                                                                                                                                                        Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                        MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                        SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                        SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                        SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                        C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):73264
                                                                                                                                                                                                                                        Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                        MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                        SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                        SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                        SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2402
                                                                                                                                                                                                                                        Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                        MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                        SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                        SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                        SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\Installer\476b72.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878669331247909
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:I+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:I+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:0FF7380978D99A4CC05437261753A4F9
                                                                                                                                                                                                                                        SHA1:B889C0BA4A260C0769C440154D578AB1619B54DE
                                                                                                                                                                                                                                        SHA-256:DB2B39529DFCAB48614EDDB8D5EF60416E8D74D6F05CFCF3A945AE25832D67DF
                                                                                                                                                                                                                                        SHA-512:CA9A8A1E303088F95F3E9A84A23526DE97D14B4F875B5EE7617B94F5B79B073D42E46449A8C5A9EBDDB1DF0EE81B6ABC6A604F2051DD821536B0FCDC24D061FE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\476b74.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878669331247909
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:I+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:I+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        MD5:0FF7380978D99A4CC05437261753A4F9
                                                                                                                                                                                                                                        SHA1:B889C0BA4A260C0769C440154D578AB1619B54DE
                                                                                                                                                                                                                                        SHA-256:DB2B39529DFCAB48614EDDB8D5EF60416E8D74D6F05CFCF3A945AE25832D67DF
                                                                                                                                                                                                                                        SHA-512:CA9A8A1E303088F95F3E9A84A23526DE97D14B4F875B5EE7617B94F5B79B073D42E46449A8C5A9EBDDB1DF0EE81B6ABC6A604F2051DD821536B0FCDC24D061FE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\476b75.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\476b81.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CCA.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6CCA.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CCA.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CCA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CCA.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6CCA.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F8A.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI6F8A.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F8A.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F8A.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F8A.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI6F8A.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI85C2.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI85C2.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI85C2.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI85C2.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI85C2.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI85C2.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8AD4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437316
                                                                                                                                                                                                                                        Entropy (8bit):6.648143543441185
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:At3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Ks7:4zOE2Z34KGzOE2Z34KI
                                                                                                                                                                                                                                        MD5:5267DE2226170472D7C6B2B6B25C3519
                                                                                                                                                                                                                                        SHA1:87D879B70AFB913969A48874DF0B4DB5D5A9959A
                                                                                                                                                                                                                                        SHA-256:C96D7E2FF5DB4C9FD1285B12D753B44640C355E8AC83DC6E353EB1A79BFC6228
                                                                                                                                                                                                                                        SHA-512:D28E8DAF9CB4FA56E408FB5374CDCCDEA25C6DE98EE6B21450D29683D85C65A9EC78732E3885A1272CBC77B263117A7EEB7B3A849474478CA6033D6DBD73F6F1
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI8AD4.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.#.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8AE5.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8B63.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSI8C6E.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA98C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIA98C.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA98C.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA98C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA98C.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIA98C.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB494.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):25600
                                                                                                                                                                                                                                        Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                        MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                        SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                        SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                        SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIB494.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB494.tmp-\CustomAction.config

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1538
                                                                                                                                                                                                                                        Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                        MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                        SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                        SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                        SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB494.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):184240
                                                                                                                                                                                                                                        Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                        MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                        SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                        SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                        SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB494.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):711952
                                                                                                                                                                                                                                        Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                        MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                        SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                        SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                        SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIB494.tmp-\System.Management.dll

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):61448
                                                                                                                                                                                                                                        Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                        MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                        SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                        SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                        SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIBB4C.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIC85D.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID118.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):435961
                                                                                                                                                                                                                                        Entropy (8bit):6.651458451760752
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Kt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4Kse:yzOE2Z34KGzOE2Z34K5
                                                                                                                                                                                                                                        MD5:4BC98D15E818BC6747D40B12D05812C4
                                                                                                                                                                                                                                        SHA1:8EA61AA765117BBB19FF122C4F3A5D65222A3938
                                                                                                                                                                                                                                        SHA-256:8186E215EDC62C46AA185712B13EE89D877CC1671E46CB325AE13F225A3E67A0
                                                                                                                                                                                                                                        SHA-512:38DBBCB6C566ED2F8D9A6857638A3BA5044B9C2B276262A71A87D3ECA2D4EB197DEBFF2C2B506187E5F19E2A3EA2F559B54D67A854DFBD2599D9C002443CC96E
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSID118.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.$.Y.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..setup.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........InstallInitialize......&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}....&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}c.&.{18F64F52-CE08-434F-A5F1-7A8A39D59EEA}............StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID148.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID2DF.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSID419.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEB7A.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):437217
                                                                                                                                                                                                                                        Entropy (8bit):6.64785127959558
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:Kt3jOZy2KsGU6a4Kspt3jOZy2KsGU6a4Ksm:yzOE2Z34K+zOE2Z34K7
                                                                                                                                                                                                                                        MD5:52226186D2144A6B6BEC14ABBE95080B
                                                                                                                                                                                                                                        SHA1:22E69C190E9E102B5CF7ED06B5E213546B08B443
                                                                                                                                                                                                                                        SHA-256:9AA46273D080B69183AD054C5860E89E3B21F563737391D682A0EEEABD61F394
                                                                                                                                                                                                                                        SHA-512:434348F68B237CE72E14BA11F8A5FA2DE45874BE83C6109357569241DF807C129395F72657029CE5C21BE263EE6F7DC4B3B51F7D7A6F81FC6948BAB33F9F9AD3
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIEB7A.tmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...@IXOS.@.....@.$.Y.@.....@.....@.....@.....@.....@......&.{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}..AteraAgent..ateraAgentSetup64_1_8_7_2.msi.@.....@.....@.....@........&.{911E9E2F-B38D-4D02-A148-5E49FC9D8943}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[....

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIEBF8.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIECC4.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIED52.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):216496
                                                                                                                                                                                                                                        Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                        MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                        SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                        SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                        SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\MSIF448.tmp

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):521954
                                                                                                                                                                                                                                        Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                        MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                        SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                        SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                        SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1729967758483966
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj5AGiLIlHVRpIh/7777777777777777777777777vDHFzTPrfWrl0i8Q:JzQI5wBTr/F
                                                                                                                                                                                                                                        MD5:BF7E7DECF1B016C1AFD09EEB97A3754A
                                                                                                                                                                                                                                        SHA1:7802B54C94B3CFC85F2982E2EA801E9F9961970F
                                                                                                                                                                                                                                        SHA-256:57D2A7165F575C0B0F896D47E003CBCFFAB8B2DF61B30E31D0E2510C1837F874
                                                                                                                                                                                                                                        SHA-512:75E39B804E670CD77055F764DA2AC2243725CF583A242FCF4D59C11691E023796D19FC1800D24C73A0F553B720E9870284E98368B902F425546B880BEE19E8FC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.1631681441320203
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:JSbX72Fj8AGiLIlHVRpMh/7777777777777777777777777vDHFFvWlp3Xl0i8Q:JKQI5c3S6F
                                                                                                                                                                                                                                        MD5:DD02986E66B9BFD017D90AF0434200DF
                                                                                                                                                                                                                                        SHA1:558634C1070AC1D1248ACACFA3437C5845B9CFB4
                                                                                                                                                                                                                                        SHA-256:C4032D53C661CAF80B99AA523C3031CC87CC7A7865428994D3102DFB0E81787E
                                                                                                                                                                                                                                        SHA-512:24C0C7081BBE3DF51C928E1259EB107135AC951AF4F0FCCA3A0461F3B9738BE99ED8ADFCC6B857F56AA1ADC8817565050C32F12FAAB73ECEC54C21072D897075
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6208281049569226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FJ8PhPuRc06WXJEnT5XDhqISoedvPdvbCnuhnq9HnYuCQ+dStedvPdvxubS:FEhP1HnTJD8IciuBuHG4
                                                                                                                                                                                                                                        MD5:E839A6D765E65BFBC29A300DB40D6910
                                                                                                                                                                                                                                        SHA1:FF72763CD4717E1772A20E611129F2056173BD6E
                                                                                                                                                                                                                                        SHA-256:EC617738275FB1A21C9816885B2C6D5653258374115318A6BA52EA61DB440B19
                                                                                                                                                                                                                                        SHA-512:B6CE3C016DDC293F96890A3B56B0A1F45B8D097ACF948ED346F8AA4F885494F25D7FC45129A181EB8A0360C84CD36C3460F911B0C91AD3B13A8232C7D8949BAF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):432221
                                                                                                                                                                                                                                        Entropy (8bit):5.375169337118159
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26Kgau/:zTtbmkExhMJCIpEr2
                                                                                                                                                                                                                                        MD5:1B0C371B447CBF1EF94A73A79E3B4822
                                                                                                                                                                                                                                        SHA1:D8E555FCA801CCE04970FCE9E48F8AF09E493D04
                                                                                                                                                                                                                                        SHA-256:C67FF0F6675C43E975119DDE422FA67CAF74B7B67F86AC2FEF8CFBCBE90F9422
                                                                                                                                                                                                                                        SHA-512:384CE0A4FDE0C55DBBD06CE0B8993C36BD2A1C865AEC56DEF5F4218F1E9678B82CD17E31FA99DB167CFBFF8939C134ED6789FB4268D91E82C0EA863D94E9DDAC
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                        C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):651
                                                                                                                                                                                                                                        Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                        MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                        SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                        SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                        SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                        C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):704
                                                                                                                                                                                                                                        Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                        MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                        SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                        SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                        SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 4761 bytes, 1 file, at 0x2c +A "disallowedcert.stl", number 1, 1 datablock, 0x1 compression
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):4761
                                                                                                                                                                                                                                        Entropy (8bit):7.945585251880973
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:6ZUpZsm0HwZ8FLSeXs+aiL9qcZ7KtlAD1GlNHgdkVI5F11AcNmwkVFzGz6ENhZC7:62T0QOLl8vAqcZ7K3AUNAdx5FAx9VEOj
                                                                                                                                                                                                                                        MD5:77B20B5CD41BC6BB475CCA3F91AE6E3C
                                                                                                                                                                                                                                        SHA1:9E98ACE72BD2AB931341427A856EF4CEA6FAF806
                                                                                                                                                                                                                                        SHA-256:5511A9B9F9144ED7BDE4CCB074733B7C564D918D2A8B10D391AFC6BE5B3B1509
                                                                                                                                                                                                                                        SHA-512:3537DA5E7F3ABA3DAFE6A86E9511ABA20B7A3D34F30AEA6CC11FEEF7768BD63C0C85679C49E99C3291BD1B552DED2C6973B6C2F7F6D731BCFACECAB218E72FD4
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MSCF............,...................O..................YWP .disallowedcert.stl.lJ..B...CK.wTS.....{.&Uz.I."E".HS@. .P.!.....*E. .DQ..... EDA.H. E..""/.s<.s.9.....&#.{~k.VV..7@......b.R....MdT..B.L..%.C......" ....%.4%..%*.B..T.d...S.....pem..$....&.q.`.+...E..C.....$.|.A.!~d.H>w%S$...QC't..;..<..R@....2. .l..?..c..A....Ew...l..K$.. ~...'......Mt^c..s.Y%..}......h......m....h.......~d...,...=ge3.....2%..(...T..!].....!C~.X..MHU.o[.z].Y...&lXG;uW.:...2!..][\/.G..]6#.I...S..#F.X.k.j.....)Nc.].t^.-l.Y...4?.b...rY....A......7.D.H\.R...s.L,.6.*|.....VQ....<.*.......... [Z....].N0LU.X........6..C\....F.....KbZ..^=.@.B..MyH...%.2.>...]..E.....sZ.f..3z.].Y.t.d$.....P...,. .~..mNZ[PL.<....d..+...l.-...b.^....6F..z.&.;D.._..c."...d..... k9....60?&..Y.v.dgu...{.....{..d=..$......@^..qA..*uJ..@W.V..eC..AV.e+21...N.{.]..]..f]..`Z.....]2.....x..f..K...t. ...e.V.U.$PV..@6W\_nsm.n.........A<.......d....@f..Z... >R..k.....8..Y....E>..2o7..........c..K7n....

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):471
                                                                                                                                                                                                                                        Entropy (8bit):7.252336318369226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:J0MgYPq9dUI5o7UmhVPqn1qqfuCUNfEnNWFzgAKi7XpKzIsVWpXjZO+CdDVIvX3n:JyYOdX5GLsHdBq7gLF/ZV0X3mh5aP
                                                                                                                                                                                                                                        MD5:D80438E1D2A0AABFB85F0320CC3FCDA9
                                                                                                                                                                                                                                        SHA1:E109B3A8B796156B33B44B0AF1260C4B33EA83DE
                                                                                                                                                                                                                                        SHA-256:CD97A00221FEE3183E6B16AEF73479CFFAC000A415BFE07755326F2ED21A78E5
                                                                                                                                                                                                                                        SHA-512:2CFCA1F287EE845EA20C60377D3E5F5C4D646BD997D03B2CC1858C99246CD3D327CD46883AB00A3930BE40B844398E57F5515002A633D78419AE2788CE75A8B0
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241216190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241216190516Z....20241223190516Z0...*.H...............H..l}i.^.+..e...3...Z.R.v.L.....]Z..S.%0%..gj....eh...G O.D....'E....S....^2\.j3 .....&[/....d.}.........0X.Z.9,..GD;..P..e.|... ..6}z.`........L...J.(......$...F@6.....I...#L.#.....{..E'z....V2%....,R+'.....w....P.xO......C_.j..}^..^..}.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.556681735949882
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5o6Tq9Rc5h44TUqsqpEtIFl+MjZToAQSb47VyEbx+ncdRRMi/l225Rp2zaH6uO:5IcoqqmmMjZxQSb4gEbQncdRaY3p2zv
                                                                                                                                                                                                                                        MD5:11A01074C4A8BCE66E078C7946EE8203
                                                                                                                                                                                                                                        SHA1:C5C0FA95A146B150CB44F151B38BE009E37B7E38
                                                                                                                                                                                                                                        SHA-256:55567037B63D7B8A23814B5F220FBA748E4627AA38B01409CA584CE87649900C
                                                                                                                                                                                                                                        SHA-512:3F9FEA79DBF415CC095CA13836E955C1196A7C20263F743EC9D7BE121ACAD5B8C9C0A157738844145B90E399F5C1EEE00DE22ACB897F1839321B1F9DAD077FD7
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0......h7..;._....a{..e.NB..20241216213701Z0s0q0I0...+.........]....^Idk...NG.X....h7..;._....a{..e.NB...(I.x...#...R....20241216212102Z....20241223202102Z0...*.H..............=...%.)9Z....@b..V...].D.z!14..`....S..la....V.-...`..A..|.B.M.}...z.$.>Qs...M.....`..6..T...v...*.. ....}..._..m&4..6.._.Yb.F..F.7/....Q..B.p&...9.~......xS..[XP.].5`v.`.@.....m...,......../)5E.....S.q....5....].R..g.e....S6(..q......Z......2....N<=.6..{.....'ab.OyK...NcN.^.H..C...rm.mq..%r..Kz... ..U.)...E{.?.s/......5CL.V.)..[..|.\..$.,IW#.J...xO>B.....p.G..n...*..@..jf...a_;..QZ.}..XE.M.R....A7*}..R=..NIs:\.....4g.\aY.. ...prS.4..u1b.3/..4.kX.1.2J...}S`gy.......O..;...Gk......

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1716
                                                                                                                                                                                                                                        Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                        MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                        SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                        SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                        SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):727
                                                                                                                                                                                                                                        Entropy (8bit):7.563765755619064
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:12:5onfZ5c5RlRtBfQzssPuxYVo7eZI4KYvRl1ZnMlpplv2yzwULUOkyIjBSrRvtMZH:5ivcdZcsmGWKURtsleK/2jB6vyZQoN
                                                                                                                                                                                                                                        MD5:7FA28022A5503D0807A43C64EC485D19
                                                                                                                                                                                                                                        SHA1:5984EAA8218BB297D44BC0CE3C4A5EB9E88861F7
                                                                                                                                                                                                                                        SHA-256:202789740A345B5741E75718F6295938F39001A9B25489E37D06BC67DED42D15
                                                                                                                                                                                                                                        SHA-512:C63FCF26A67E1C82695B67B31012CB5A6FC503627F4D3007D2F7ECE786B740585439A1DDE1E3324937E598686C4BD8476FA72F4D0E64615C0EADED37317514AD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241216184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241216184215Z....20241223184215Z0...*.H.............*....l.......SE.r..U1[7v.hQ.n...dp... <J.G.....jZ"-....B^..F.h'..~.w..R.<j>...3s'.b.....s...v.[j.w.."Ck.4.+....Q..$..'..|..........~....p.:.......4.l.a....[.|c......e....[.FZ.z.;a..uV.j.. >.......ay. ..U"9...?y.>....5..9...d=..K!.c.K..v.r<qN1...&....2L...M.Q....X.TX.!..l.{...00>..L.h.........2..3....2..t.]lTi........=gQ....s.Y.u!P>e@._....!?...xC.\..$.cD~.l...H.p;.....w.F.u.*..X...7.j..z`Gm.Jc.e... hU...$.v.*..?....y.y.......M....-.z...aJW...@..L.[.y.......x.x.j8/.:..I.W...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:Certificate, Version=3
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1428
                                                                                                                                                                                                                                        Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                        MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                        SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                        SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                        SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):340
                                                                                                                                                                                                                                        Entropy (8bit):3.250706039037137
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKJlq5+7DNfUN+SkQlPlEGYRMY9z+s3Ql2DUeXJlOW1:fdLkPlE99SCQl2DUeXJlOA
                                                                                                                                                                                                                                        MD5:67C33377CF6C53628BC43D03FC7A510D
                                                                                                                                                                                                                                        SHA1:136359FA70B8FBA311A5A4C22B50A9580263B166
                                                                                                                                                                                                                                        SHA-256:FF9E43D61FAAE3886A0C3EEE6E7CB3069B9149352F324E9E0BC30D43AEA283B8
                                                                                                                                                                                                                                        SHA-512:68762D58BA215337CA25240601DB16B1AE951484DC24E66E7CC6D3F39C53B388EEAB5BAE670F4BB34F7ECE7CB25684564D5448130E2526C5FF39014FC405DA45
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........R.@\fP..(....................................................... ........~..MG......&.....6.........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".0.6.c.f.c.c.5.4.d.4.7.d.b.1.:.0."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):400
                                                                                                                                                                                                                                        Entropy (8bit):3.918398498387293
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKnxEjmm+8brXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:/Qb9mxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                        MD5:12CB2303BE93638849F5929A06BA75CD
                                                                                                                                                                                                                                        SHA1:FCD5093952AF99CCC76F02706ED9B3184A203128
                                                                                                                                                                                                                                        SHA-256:DD11D65E35F5DFB86948615C8C4DB12547340E0D555DD406EE145C9B98447F8D
                                                                                                                                                                                                                                        SHA-512:5EB8BB8054286D4C8A3D0DC57F47E212D0201333A5B132CBEE7FF274D3BA3E58E55E07DA442C8953CBCCBE34D135D708353EBCAE8F30834489382800F849AC42
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........EE.ofP..(..................q.O.....mU.....................mU.. ........y.[YP.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):404
                                                                                                                                                                                                                                        Entropy (8bit):3.892559488882355
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK3p7UtHcJfOAUMivhClroFHXHDZA6liyZlSlMul0bg3PWovy28lhl+KscSikKY3:CKJmxMiv8sF3HtllJZIvOP205scn8
                                                                                                                                                                                                                                        MD5:0F2D484508AE030FD5B15ECB8B760E1C
                                                                                                                                                                                                                                        SHA1:B7D37A54917986CD31C8C7F67F1C1C3FCC366394
                                                                                                                                                                                                                                        SHA-256:E98D54E168D5542375D4794969F8EEDE733C69B0DAAFC30491781280DBDFBDA7
                                                                                                                                                                                                                                        SHA-512:BE339FE7BB4B581E130AE6F6C7B4D64FEEF8B8AB3B5B3A03DB26ECC4C4462A52E46D2FE1D9DDBBE7FEC4AED463ED426A79ABD87E5FC6FE53D167E8D131CF000F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... .... ..._..oP..(.................ph.P...../xU...................../xU.. ..........aP.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.S.R.X.e.r.F.0.e.F.e.S.W.R.r.i.p.T.g.T.k.c.J.W.M.m.7.i.Q.Q.U.a.D.f.g.6.7.Y.7.%.2.B.F.8.R.h.v.v.%.2.B.Y.X.s.I.i.G.X.0.T.k.I.C.E.A.o.o.S.Z.l.4.5.Y.m.N.9.A.o.j.j.r.i.l.U.u.g.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):308
                                                                                                                                                                                                                                        Entropy (8bit):3.213144440746552
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kK6TzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:i+tWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                        MD5:363079BB2A2E43F38004D9642C0F28FF
                                                                                                                                                                                                                                        SHA1:5EFCF5D08072D2E591D0CA8AADA2B696F06DC737
                                                                                                                                                                                                                                        SHA-256:FE5F3B2F6293564BDF4211CFFCB59FF849FD68CEA316043E206AEE96F1E19681
                                                                                                                                                                                                                                        SHA-512:3973091C89EAAD99D6331B9462C09BCBC70F60BE2DA6BB6A6B68C8CB8798B6DFEBE609F27D91D057A9F95205B479EC537E35A3701239F12A3401E7C4E4DCCC03
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ........=...nP..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):412
                                                                                                                                                                                                                                        Entropy (8bit):3.9576212318971487
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKz8IC6+k5QfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:Tb5QmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                        MD5:B3CB7311997F9A7C56395404AE2FEF73
                                                                                                                                                                                                                                        SHA1:B6B39BE484926B939931BAD0A3FB9693CD16FB90
                                                                                                                                                                                                                                        SHA-256:F66136622B4820B8E5FBCE5A4CF656E93AE4C41A240D56088A95CA7B286C7945
                                                                                                                                                                                                                                        SHA-512:4C49A27A3F370E0D6447F9A52CD006FC3E0DFC44EF87F46F6625B75074F3682B20F3DB4616C2EC325A5D636FA17DE97EAA067DA1E351FD91B79D2692E71AC209
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....(..... .fP..(..................9.O.....bjU.....................bjU.. ........]~MYP.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):254
                                                                                                                                                                                                                                        Entropy (8bit):3.0401228335151798
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:kKn4LDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:wLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                        MD5:F941EA5ABA86663A3180E07836060371
                                                                                                                                                                                                                                        SHA1:828AFBCA3BA3BA3750CE8698966DC9159F4C22D4
                                                                                                                                                                                                                                        SHA-256:C162D5824BF3C579A06967FA33BF8089CD8122FD7C689571BDD7A9143C1EBC6E
                                                                                                                                                                                                                                        SHA-512:E4610C29072C80A7F720024746F21AB5CFB835117E20F0E84B5DB97091E19BD2DCBF0403F402DDEFC4B37B9B65E2410B9AAA92A009A070A298A822BBBB5EB043
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:p...... ....l......oP..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1944
                                                                                                                                                                                                                                        Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                        MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                        SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                        SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                        SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1983
                                                                                                                                                                                                                                        Entropy (8bit):5.345248756179348
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKksHVsHT6HNHOHKCHKlT40HKe60:iqbYqGSI6oPtzHeqKks1sz6tuqCqZ40T
                                                                                                                                                                                                                                        MD5:F974F0FCD981AC0581C5498C0155EF91
                                                                                                                                                                                                                                        SHA1:0CF6D5F41937B296EF9D37FC90E56EC8458B96DF
                                                                                                                                                                                                                                        SHA-256:500B63AEC50B89EF4CEC9ED49E53D168CDC35D235CB416B84234D3E45F3AC365
                                                                                                                                                                                                                                        SHA-512:1484917CC2A8E88DD4010FEE60394BD974D5C44ED0482DAD64B06A319E1F7E414321B8BDB06C6DE70152CFEA887BBDEFD2F2689C077251E8D2BBC9448FBF8719
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Runtime\2702

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):3043
                                                                                                                                                                                                                                        Entropy (8bit):5.361093730986187
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKk9HVsHUHhHKe6PfHKWA1eXrHKlT4d6HNHGHPmHKm:iqbYqGSI6oPtzHeqKk91s0Bq13qhA7qp
                                                                                                                                                                                                                                        MD5:7FBB3BC293626F02EEE5D12A2FC44FE7
                                                                                                                                                                                                                                        SHA1:A736DE9B60CEC25864AE995EF046F3F317B5D1AC
                                                                                                                                                                                                                                        SHA-256:B6ED7FB8E1D3A5AB9858099700CDA16766D6F442587CD6F965815CF8AFC1444D
                                                                                                                                                                                                                                        SHA-512:C175AF1525508EEA8DEAE8BE67E4780922492B3D01ACDB36B43220DE5B57898F10558F80C5D6218B61A236D35C41047527C6AD00770F477E23507AAEA7EF2000
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Net.Http\f4

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):1933
                                                                                                                                                                                                                                        Entropy (8bit):5.381647656863045
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:MxHKQwYHKGSI6oPtHTHhAHKKkCHKe6PfHKWA1eXrHKlT4fHeHK/:iqbYqGSI6oPtzHeqKkCq13qhA7qZ4f+m
                                                                                                                                                                                                                                        MD5:52CDAA83C48EDB391B9D77AE080A7F05
                                                                                                                                                                                                                                        SHA1:BC3E421F10517820F55349F0C636CE6F5AC43D25
                                                                                                                                                                                                                                        SHA-256:CC4BC1EB52CD4548732E5120182DE3E3B7F5D9191BAF7B0D40DF17D30D0C0D5C
                                                                                                                                                                                                                                        SHA-512:FDFA5A33A156B89D4772A5A503ECD01B5780CD88B2286FDD0DFA47477A7EF58C5F5720CA591A7F27014AB5ED7A6CE3CDA0E71CD329332498F207AC4439626813
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\545a9409c1

                                                                                                                                                                                                                                        C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:CSV text
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):1075
                                                                                                                                                                                                                                        Entropy (8bit):5.353521172341231
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:ML9E4KQwKDE4KGKZI6KhPKIE4TKBGKoZAE4KKUNa8mE4Dp689:MxHKQwYHKGSI6oPtHTHhAHKKka8mHDpN
                                                                                                                                                                                                                                        MD5:BDADAD127D5A6079C29C0C870A5C3C2C
                                                                                                                                                                                                                                        SHA1:AD5D30886AE959F271CF777D386A31CD792C9A64
                                                                                                                                                                                                                                        SHA-256:7186B9EAC66BD83E5E1C050D81529BC68511538118E65019EBECFD952C22FD55
                                                                                                                                                                                                                                        SHA-512:198087F52C39A32ACE7A90E9212C2AA0F31EDF8349773C8C6C5495CA82C890F9A8A44356AC5AEBB42F3342E6BE981DC4BCFE1D7FB43760745D7240A117257725
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\db3df155ec9c0595b0198c4487f36ca1\System.Xml.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv7

                                                                                                                                                                                                                                        C:\Windows\Temp\AteraSetupLog.txt

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Unicode text, UTF-16, little-endian text, with very long lines (319), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):227602
                                                                                                                                                                                                                                        Entropy (8bit):3.781062577105868
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1536:JHt+HNCBTKofTTYh91lsueaj2pwaUYOSeMuDw7IkB7m1NJqJRC0nH0EsC1pTDPP2:Jr2js5IJqrjcxCHSJGdRET8w
                                                                                                                                                                                                                                        MD5:46BF1AC4F4B0743DF69DE4B814426685
                                                                                                                                                                                                                                        SHA1:CD3EF4A5ACBB8527C8FE2950B60DE321E65995D8
                                                                                                                                                                                                                                        SHA-256:A23E5D9779B21E4FEF5DA5546DB36834F28B3E2BA1AA80B28FC0EF61CB937167
                                                                                                                                                                                                                                        SHA-512:FB37023CF701787BE9627E72109F5319F5EE43F23ECCAAB651C8B4F132827A4EAF4F7CCC0E6D56D8791CCD840430DE236D580294414BBEE5B9E219289BBB479F
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\AteraSetupLog.txt, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:..=.=.=. .V.e.r.b.o.s.e. .l.o.g.g.i.n.g. .s.t.a.r.t.e.d.:. .1.7./.1.2./.2.0.2.4. . .0.4.:.3.2.:.0.1. . .B.u.i.l.d. .t.y.p.e.:. .S.H.I.P. .U.N.I.C.O.D.E. .5...0.0...1.0.0.1.1...0.0. . .C.a.l.l.i.n.g. .p.r.o.c.e.s.s.:. .C.:.\.W.i.n.d.o.w.s.\.S.Y.S.T.E.M.3.2.\.m.s.i.e.x.e.c...e.x.e. .=.=.=.....M.S.I. .(.c.). .(.3.C.:.B.8.). .[.0.4.:.3.2.:.0.1.:.7.4.7.].:. .R.e.s.e.t.t.i.n.g. .c.a.c.h.e.d. .p.o.l.i.c.y. .v.a.l.u.e.s.....M.S.I. .(.c.). .(.3.C.:.B.8.). .[.0.4.:.3.2.:.0.1.:.7.4.7.].:. .M.a.c.h.i.n.e. .p.o.l.i.c.y. .v.a.l.u.e. .'.D.e.b.u.g.'. .i.s. .0.....M.S.I. .(.c.). .(.3.C.:.B.8.). .[.0.4.:.3.2.:.0.1.:.7.4.7.].:. .*.*.*.*.*.*.*. .R.u.n.E.n.g.i.n.e.:..... . . . . . . . . . . .*.*.*.*.*.*.*. .P.r.o.d.u.c.t.:. .C.:.\.W.i.n.d.o.w.s.\.T.E.M.P.\.a.t.e.r.a.A.g.e.n.t.S.e.t.u.p.6.4._.1._.8._.7._.2...m.s.i..... . . . . . . . . . . .*.*.*.*.*.*.*. .A.c.t.i.o.n.:. ..... . . . . . . . . . . .*.*.*.*.*.*.*. .C.o.m.m.a.n.d.L.i.n.e.:. .*.*.*.*.*.*.*.*.*.*.....M.S.I. .(.c.). .(.3.C.:.B.8.). .[.0.4.:.3.2.:.

                                                                                                                                                                                                                                        C:\Windows\Temp\SplashtopStreamer.exe

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                        Category:modified
                                                                                                                                                                                                                                        Size (bytes):51389914
                                                                                                                                                                                                                                        Entropy (8bit):7.95900446136096
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:1572864:xnOdpvYs+cvrrjOAYfDJnEAOns5w5k8BzFlq:xQNLOAYfzOBO8B3q
                                                                                                                                                                                                                                        MD5:B3998D0B14E2CC1B8348BDA293FF55F6
                                                                                                                                                                                                                                        SHA1:FA40AAF0D6131E02A0D4707F1AF5A96764A41678
                                                                                                                                                                                                                                        SHA-256:43793AEF5D73425051BD7265C7A49D255F5BEBCFD6333F089F7424062F3E0FB4
                                                                                                                                                                                                                                        SHA-512:51668B6CA09D6BA20818C6F894A141E0B077DF5C00ACBF044100545D8FA347310B1ED6514896E2E42DAA1DB36A01B0BC6BFC20452688A212F0331344BECD7276
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........{F~.(F~.(F~.(O.8(U~.(F~.(.|.(O.>(\~.(O.((.~.(O./(.~.(O.!(A~.(O.?(G~.(O.:(G~.(RichF~.(................PE..L.....Gg............................./............@.................................Rwd.............................................. ..(............0d..(..........`................................i..@...................D........................text............................... ..`.rdata..............................@..@.data....^......."..................@....rsrc...(.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\ateraAgentSetup64_1_8_7_2.msi

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: x64;1033, Revision Number: {911E9E2F-B38D-4D02-A148-5E49FC9D8943}, Create Time/Date: Wed Feb 28 10:52:04 2024, Last Saved Time/Date: Wed Feb 28 10:52:04 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):2994176
                                                                                                                                                                                                                                        Entropy (8bit):7.878630966889847
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:49152:s+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oq1xMbY+K/tzQz:s+lUlz9FKbsodq0YaH7Z1xMb8tT
                                                                                                                                                                                                                                        MD5:5E90226ABB5A004B0B9DB9A9E67BAC21
                                                                                                                                                                                                                                        SHA1:34EB703055BAFA469A714F18C7F00E5098B764AF
                                                                                                                                                                                                                                        SHA-256:BE0C53481ED4CF3EC4D0AD16053CD18D6AAD8C349B8281F5F9B90B526420CEAE
                                                                                                                                                                                                                                        SHA-512:2676357D10AA76F09F2A1F691C7566D54E34B20716EDF1301B2D69C3E3400D0A70E7C1738AEA9A75334B384AB988CEA3A07B983C900AE32395285BE61673C288
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF02FCC3B492CAA10B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.14057278047751695
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:CnVubmStedGPdGeqISoedGPdGfo/Zr5y41/4k:icyLId31
                                                                                                                                                                                                                                        MD5:88D3FF0DF1225CF017E2112F2F73911F
                                                                                                                                                                                                                                        SHA1:4F8BB831F79E1EE7E3BEEBD481B0BA4C9797E382
                                                                                                                                                                                                                                        SHA-256:EF4525A638B1D832A9A2310E64F6BD42006EF3A3F16E46E1500CD0A577F64861
                                                                                                                                                                                                                                        SHA-512:4C2D79D45540BCFD545D14AC49755B32FBED67362BF9B301C13C6A6016318411454A01C083423FB610F3B3011E612250079A5293C74B509975CEA40F9D6EA682
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF02FCC3B492CAA10B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF075573CDEB11ECC0.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.23146867526386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:dhVUuKNveFXJbT5bDEtqISoedGPdGThaStedGPdGTn:VU8DTdDLIpD
                                                                                                                                                                                                                                        MD5:F5F224D00780C398F835548FD41E8907
                                                                                                                                                                                                                                        SHA1:F5A6AA27A32FA0544F0521A687BBE4E05F9930FD
                                                                                                                                                                                                                                        SHA-256:BE523B35A2F545956101AE3CF04C5E5B4DD31120DA1330F9469CDFF891EFB08D
                                                                                                                                                                                                                                        SHA-512:47E00BB54DA8260B9DAE5E2470706DBE9228B41A4E84A8A06E7A46AF50DD6F06D39027F71710ECAAB35F2277685EB3C4FA8238CED6FCEA5D2595172A6A31FE05
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF075573CDEB11ECC0.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF07C71B751A9EED09.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF1895BF484B59CF8F.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.23146867526386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:dhVUuKNveFXJbT5bDEtqISoedGPdGThaStedGPdGTn:VU8DTdDLIpD
                                                                                                                                                                                                                                        MD5:F5F224D00780C398F835548FD41E8907
                                                                                                                                                                                                                                        SHA1:F5A6AA27A32FA0544F0521A687BBE4E05F9930FD
                                                                                                                                                                                                                                        SHA-256:BE523B35A2F545956101AE3CF04C5E5B4DD31120DA1330F9469CDFF891EFB08D
                                                                                                                                                                                                                                        SHA-512:47E00BB54DA8260B9DAE5E2470706DBE9228B41A4E84A8A06E7A46AF50DD6F06D39027F71710ECAAB35F2277685EB3C4FA8238CED6FCEA5D2595172A6A31FE05
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF1895BF484B59CF8F.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF195A7889D135AA12.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4498721C29885B3A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4939F92601AB2289.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.221893556639841
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:v8PhcuRc06WXJEnT5nDEtqISoedGPdGThaStedGPdGTn:uhc1HnTZDLIpD
                                                                                                                                                                                                                                        MD5:785D1D5FE4B0C77D9044A3CA22E07E67
                                                                                                                                                                                                                                        SHA1:9A81AA070EA15304C0BD0BCCBC187B5A94042DDC
                                                                                                                                                                                                                                        SHA-256:99E72EB696DDF8913A344886A296F417AB690283CA2FD5640C2450A830E548EB
                                                                                                                                                                                                                                        SHA-512:43C17B1BDB9C5E3467A0BA3D583A6FFCA005F274AD64E2548C5F6A833A265E01EB052E69DAAB4FD19851D80512811E46BD4FAD4513A098C0EA10D51AD7780022
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4939F92601AB2289.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF4DF5ED62E382D608.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.13082918515601213
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:24:CnAipVfedGSadGS7qIipVGedGSadGSfEqasJG0WTZkaS+Y2+n:CnAStedGPdGeqISoedGPdGTh7SG
                                                                                                                                                                                                                                        MD5:8E531C0DD9EE589C7E13DF5772C3C350
                                                                                                                                                                                                                                        SHA1:1C81AC23406D93E7CE1557365FA87F6CED16DEAA
                                                                                                                                                                                                                                        SHA-256:37A8FD64391462B8154D976D7AFCAC546AC9408F0D26DE85C3D5BE3D194DF892
                                                                                                                                                                                                                                        SHA-512:B20399D213973BF5A5ED9CEC5BC21B8E83FC03ABD99D4A61949A09FA020F01062CF06B085985D1602813168A4F4DDC9DD5F396C907B8727C4E3AE4EE6F68867D
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF4DF5ED62E382D608.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5723C93FE86287DD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF59B0E42AEAB58E26.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF5DD13AAEAD71C952.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2482583348950649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Xz0uWAMLFXOTT5Bt4N5qISoedGPdGfo/Zr5y4MStedGPdGRub1n:j09OTQEId3Mox
                                                                                                                                                                                                                                        MD5:4BD000E3B287CE3495D0FD98D6AF7B3F
                                                                                                                                                                                                                                        SHA1:D02CCD27EBCC4B834F08CD5885513F712C0187EA
                                                                                                                                                                                                                                        SHA-256:C52ABAF1EBB3AC58D88A0A86A93FB95B6F572936BB6DDAD4F53C2011F1C5753D
                                                                                                                                                                                                                                        SHA-512:1FF97F1F3B9631FE56EABFC94A7F21D5D94307ECF46EB897EB9290AD5D510A0E953BF859048ED663B0441E3BB2FA044946481400B0E9409B423FE3BE34C4E0F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF5DD13AAEAD71C952.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF669388D7BED9869C.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF6B15EEE745742680.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6208281049569226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FJ8PhPuRc06WXJEnT5XDhqISoedvPdvbCnuhnq9HnYuCQ+dStedvPdvxubS:FEhP1HnTJD8IciuBuHG4
                                                                                                                                                                                                                                        MD5:E839A6D765E65BFBC29A300DB40D6910
                                                                                                                                                                                                                                        SHA1:FF72763CD4717E1772A20E611129F2056173BD6E
                                                                                                                                                                                                                                        SHA-256:EC617738275FB1A21C9816885B2C6D5653258374115318A6BA52EA61DB440B19
                                                                                                                                                                                                                                        SHA-512:B6CE3C016DDC293F96890A3B56B0A1F45B8D097ACF948ED346F8AA4F885494F25D7FC45129A181EB8A0360C84CD36C3460F911B0C91AD3B13A8232C7D8949BAF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF6B15EEE745742680.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF78F1DE91B6E79342.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF7E7D4B916855C95A.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF856228A69E1C7F63.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.556705194038622
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:58Ph8uRc06WXOCFT5pt4N5qISoedGPdGfo/Zr5y4MStedGPdGRub1n:0h81UFT4EId3Mox
                                                                                                                                                                                                                                        MD5:5F0572F01D10E2FB0A9C4A2A09EA6A9F
                                                                                                                                                                                                                                        SHA1:BD17D35D93DD3FC9C74CF4D87C239D2AEDAEDE2D
                                                                                                                                                                                                                                        SHA-256:86F33EF9D4D32C86BEB25587A08C5D4A18485C771FD7C00E7A8CB2BE56770B49
                                                                                                                                                                                                                                        SHA-512:16036ABF2178C9B14DDA40CBF1673675DA2F59C6DA3057EF68C51C68493A5549E684021FC91FF671A763E28DD152FEE1BE02FEBCA910E022DBE4B0A92B110588
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF856228A69E1C7F63.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF8B64D014C4383737.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):69632
                                                                                                                                                                                                                                        Entropy (8bit):0.1636960317202306
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:TEubmStedvPdv+qISoedvPdvbCnuhnq9HnYuCQ+Y3:hybIciuBuHF3
                                                                                                                                                                                                                                        MD5:C52F7613C1DC13313FA6E88966F202AC
                                                                                                                                                                                                                                        SHA1:3833B3C2ECFB90CB07A76E6DD26D413ECFB461CF
                                                                                                                                                                                                                                        SHA-256:902E71DC0A05C5F9E4E0D85E74E1D54B723325E350EA841665B0F4DC8619A0A7
                                                                                                                                                                                                                                        SHA-512:4832FB92A3E8122217B45C9D8B1811B7C635AFC400C481437ABBBF653BD2C21813AFDF097F96F12F89AD35FD6DA852F8C3F7990F64338AB13CFBBF0099444036
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF8B64D014C4383737.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF909A1D070B5DB00B.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001192248162735
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:OMMXukNveFXJbT5pBDhqISoedvPdvbCnuhnq9HnYuCQ+dStedvPdvxubS:+XeDTnBD8IciuBuHG4
                                                                                                                                                                                                                                        MD5:5699BA95FCDD03FBD1C54F8AB1B6AE1E
                                                                                                                                                                                                                                        SHA1:85B57C937339E6E917AAC57303FF29EBEBE5D8D8
                                                                                                                                                                                                                                        SHA-256:D0D77C5BABF86B0CBF88F8A9DD301978511943C9A1E8D210B3872FA711AC594B
                                                                                                                                                                                                                                        SHA-512:628E8E9B7423EF942A611A76F06B5BE2C9A36550A5A6310CEFABB79BBB1F160A47C8C58E0C90B5B0CD976E5F03DB1FFC6B2E390151E40464332AEA919633C4B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF909A1D070B5DB00B.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF930ECACDFB3B4876.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.06946578846229791
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOAGvUkHS3GyVky6l3X:2F0i8n0itFzDHFFvWE3X
                                                                                                                                                                                                                                        MD5:5C0FB827C2EF8D7BF859AD0FEAE52C11
                                                                                                                                                                                                                                        SHA1:6F104C3830EF56A2C815C1C27B3833BC70C23B59
                                                                                                                                                                                                                                        SHA-256:C9DC0E6919FD27750D1BD44303D38BB903FE7CF328BBC1511784E122FB8F13A6
                                                                                                                                                                                                                                        SHA-512:7B6BC3C675EDD4F6661CF00F76C374ED292BBD309822C4B432133AFA4D4DAA562E58BACF6A6EBE1143AD167A4097F71C6AFB18F54DC555A3A78B1989120F215C
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9CB02A1CDB19CD90.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2482583348950649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Xz0uWAMLFXOTT5Bt4N5qISoedGPdGfo/Zr5y4MStedGPdGRub1n:j09OTQEId3Mox
                                                                                                                                                                                                                                        MD5:4BD000E3B287CE3495D0FD98D6AF7B3F
                                                                                                                                                                                                                                        SHA1:D02CCD27EBCC4B834F08CD5885513F712C0187EA
                                                                                                                                                                                                                                        SHA-256:C52ABAF1EBB3AC58D88A0A86A93FB95B6F572936BB6DDAD4F53C2011F1C5753D
                                                                                                                                                                                                                                        SHA-512:1FF97F1F3B9631FE56EABFC94A7F21D5D94307ECF46EB897EB9290AD5D510A0E953BF859048ED663B0441E3BB2FA044946481400B0E9409B423FE3BE34C4E0F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9CB02A1CDB19CD90.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DF9EB38B69E8B8E92D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):0.077966497703753
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKO1LtCmOuPrfkiVky6l51:2F0i8n0itFzDHFzTPrfWr
                                                                                                                                                                                                                                        MD5:785EA75A2FB1DB6D9155B28A1291DAF3
                                                                                                                                                                                                                                        SHA1:6B86F7E077D0A8823383FBB776313FEDB17BFDEA
                                                                                                                                                                                                                                        SHA-256:BCD727E77C067BD5A31C13E8024F00ED60381D9AB725CAE2E6777A5708C9DDE0
                                                                                                                                                                                                                                        SHA-512:1834BBF627951711C96708EE7AA4B6C069055E832C717561DC77592E68EFB93E65FE825A5D3D13859057C93BE96CC12701D725491C4CFC49A4EE4FD40942E72A
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA6F35F9524476E30.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.23146867526386
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:dhVUuKNveFXJbT5bDEtqISoedGPdGThaStedGPdGTn:VU8DTdDLIpD
                                                                                                                                                                                                                                        MD5:F5F224D00780C398F835548FD41E8907
                                                                                                                                                                                                                                        SHA1:F5A6AA27A32FA0544F0521A687BBE4E05F9930FD
                                                                                                                                                                                                                                        SHA-256:BE523B35A2F545956101AE3CF04C5E5B4DD31120DA1330F9469CDFF891EFB08D
                                                                                                                                                                                                                                        SHA-512:47E00BB54DA8260B9DAE5E2470706DBE9228B41A4E84A8A06E7A46AF50DD6F06D39027F71710ECAAB35F2277685EB3C4FA8238CED6FCEA5D2595172A6A31FE05
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA6F35F9524476E30.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFA8AD7E5C0716F3AA.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.556705194038622
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:58Ph8uRc06WXOCFT5pt4N5qISoedGPdGfo/Zr5y4MStedGPdGRub1n:0h81UFT4EId3Mox
                                                                                                                                                                                                                                        MD5:5F0572F01D10E2FB0A9C4A2A09EA6A9F
                                                                                                                                                                                                                                        SHA1:BD17D35D93DD3FC9C74CF4D87C239D2AEDAEDE2D
                                                                                                                                                                                                                                        SHA-256:86F33EF9D4D32C86BEB25587A08C5D4A18485C771FD7C00E7A8CB2BE56770B49
                                                                                                                                                                                                                                        SHA-512:16036ABF2178C9B14DDA40CBF1673675DA2F59C6DA3057EF68C51C68493A5549E684021FC91FF671A763E28DD152FEE1BE02FEBCA910E022DBE4B0A92B110588
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA8AD7E5C0716F3AA.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA8AD7E5C0716F3AA.TMP, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFA8AD7E5C0716F3AA.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFADE2042B27E71D27.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):20480
                                                                                                                                                                                                                                        Entropy (8bit):1.6208281049569226
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:FJ8PhPuRc06WXJEnT5XDhqISoedvPdvbCnuhnq9HnYuCQ+dStedvPdvxubS:FEhP1HnTJD8IciuBuHG4
                                                                                                                                                                                                                                        MD5:E839A6D765E65BFBC29A300DB40D6910
                                                                                                                                                                                                                                        SHA1:FF72763CD4717E1772A20E611129F2056173BD6E
                                                                                                                                                                                                                                        SHA-256:EC617738275FB1A21C9816885B2C6D5653258374115318A6BA52EA61DB440B19
                                                                                                                                                                                                                                        SHA-512:B6CE3C016DDC293F96890A3B56B0A1F45B8D097ACF948ED346F8AA4F885494F25D7FC45129A181EB8A0360C84CD36C3460F911B0C91AD3B13A8232C7D8949BAF
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFADE2042B27E71D27.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB42BC111D2278864.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFB9D66B420A28B0B5.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFCE5890D4D9F87FFD.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD053BE32D394C354.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFD11577AEB76C88DC.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFDFE05222FB56D641.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001192248162735
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:OMMXukNveFXJbT5pBDhqISoedvPdvbCnuhnq9HnYuCQ+dStedvPdvxubS:+XeDTnBD8IciuBuHG4
                                                                                                                                                                                                                                        MD5:5699BA95FCDD03FBD1C54F8AB1B6AE1E
                                                                                                                                                                                                                                        SHA1:85B57C937339E6E917AAC57303FF29EBEBE5D8D8
                                                                                                                                                                                                                                        SHA-256:D0D77C5BABF86B0CBF88F8A9DD301978511943C9A1E8D210B3872FA711AC594B
                                                                                                                                                                                                                                        SHA-512:628E8E9B7423EF942A611A76F06B5BE2C9A36550A5A6310CEFABB79BBB1F160A47C8C58E0C90B5B0CD976E5F03DB1FFC6B2E390151E40464332AEA919633C4B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFDFE05222FB56D641.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFE359647684E9C096.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFEFF35E4F4CBB1F50.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:data
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):512
                                                                                                                                                                                                                                        Entropy (8bit):0.0
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:3::
                                                                                                                                                                                                                                        MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                        SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                        SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                        SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF2C6D625F2EAC65D.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.221893556639841
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:v8PhcuRc06WXJEnT5nDEtqISoedGPdGThaStedGPdGTn:uhc1HnTZDLIpD
                                                                                                                                                                                                                                        MD5:785D1D5FE4B0C77D9044A3CA22E07E67
                                                                                                                                                                                                                                        SHA1:9A81AA070EA15304C0BD0BCCBC187B5A94042DDC
                                                                                                                                                                                                                                        SHA-256:99E72EB696DDF8913A344886A296F417AB690283CA2FD5640C2450A830E548EB
                                                                                                                                                                                                                                        SHA-512:43C17B1BDB9C5E3467A0BA3D583A6FFCA005F274AD64E2548C5F6A833A265E01EB052E69DAAB4FD19851D80512811E46BD4FAD4513A098C0EA10D51AD7780022
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF2C6D625F2EAC65D.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFF3A84280FF13AB42.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):49152
                                                                                                                                                                                                                                        Entropy (8bit):1.001192248162735
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:OMMXukNveFXJbT5pBDhqISoedvPdvbCnuhnq9HnYuCQ+dStedvPdvxubS:+XeDTnBD8IciuBuHG4
                                                                                                                                                                                                                                        MD5:5699BA95FCDD03FBD1C54F8AB1B6AE1E
                                                                                                                                                                                                                                        SHA1:85B57C937339E6E917AAC57303FF29EBEBE5D8D8
                                                                                                                                                                                                                                        SHA-256:D0D77C5BABF86B0CBF88F8A9DD301978511943C9A1E8D210B3872FA711AC594B
                                                                                                                                                                                                                                        SHA-512:628E8E9B7423EF942A611A76F06B5BE2C9A36550A5A6310CEFABB79BBB1F160A47C8C58E0C90B5B0CD976E5F03DB1FFC6B2E390151E40464332AEA919633C4B7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFF3A84280FF13AB42.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        C:\Windows\Temp\~DFFC9FD086608A5E84.TMP

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):32768
                                                                                                                                                                                                                                        Entropy (8bit):1.2482583348950649
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:48:Xz0uWAMLFXOTT5Bt4N5qISoedGPdGfo/Zr5y4MStedGPdGRub1n:j09OTQEId3Mox
                                                                                                                                                                                                                                        MD5:4BD000E3B287CE3495D0FD98D6AF7B3F
                                                                                                                                                                                                                                        SHA1:D02CCD27EBCC4B834F08CD5885513F712C0187EA
                                                                                                                                                                                                                                        SHA-256:C52ABAF1EBB3AC58D88A0A86A93FB95B6F572936BB6DDAD4F53C2011F1C5753D
                                                                                                                                                                                                                                        SHA-512:1FF97F1F3B9631FE56EABFC94A7F21D5D94307ECF46EB897EB9290AD5D510A0E953BF859048ED663B0441E3BB2FA044946481400B0E9409B423FE3BE34C4E0F7
                                                                                                                                                                                                                                        Malicious:true
                                                                                                                                                                                                                                        Yara Hits:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFFC9FD086608A5E84.TMP, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        \Device\ConDrv

                                                                                                                                                                                                                                        Download File
                                                                                                                                                                                                                                        Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        File Type:ASCII text, with very long lines (337), with CRLF line terminators
                                                                                                                                                                                                                                        Category:dropped
                                                                                                                                                                                                                                        Size (bytes):5166
                                                                                                                                                                                                                                        Entropy (8bit):5.051173259749314
                                                                                                                                                                                                                                        Encrypted:false
                                                                                                                                                                                                                                        SSDEEP:96:cXgKIgKcgKRQ/gnSi++aPGl7p7Al4gnSi++aPGl7p7Ac:c5kIRVL/N7c9L/N79
                                                                                                                                                                                                                                        MD5:0D44EBBF2D029DAD6AFF0ED18803801F
                                                                                                                                                                                                                                        SHA1:F8DDD2B7D0B9CDF0DA2158F633929626FA51AD98
                                                                                                                                                                                                                                        SHA-256:76E455E57DBC8115C931E43E3218C374257D4CCD118765F3F23AC6FEBCAC9E71
                                                                                                                                                                                                                                        SHA-512:6B7C292CD2F769927D5DC6D58897844524063925E2C2D7E84147C34D1E137D0DA2A0705232D70C8977D4AECB127DCA4F2D681A10B304C59BCA786B7F7BF6E49F
                                                                                                                                                                                                                                        Malicious:false
                                                                                                                                                                                                                                        Reputation:unknown
                                                                                                                                                                                                                                        Preview:2024-12-17 04:32:22.2466|ERROR|WuApiService|Error on retry number 1: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 04:33:45.5654|ERROR|WuApiService|Error on retry number 2: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 04:35:46.4051|ERROR|WuApiService|Error on retry number 3: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.....2024-12-17 04:36:54.8645|ERROR|AgentPackageOsUpdates|Error executin

                                                                                                                                                                                                                                        Static File Info

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                        Entropy (8bit):7.878669331247909
                                                                                                                                                                                                                                        TrID:
                                                                                                                                                                                                                                        • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                        • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                        • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                        File name:setup.msi
                                                                                                                                                                                                                                        File size:2'994'176 bytes
                                                                                                                                                                                                                                        MD5:0ff7380978d99a4cc05437261753a4f9
                                                                                                                                                                                                                                        SHA1:b889c0ba4a260c0769c440154d578ab1619b54de
                                                                                                                                                                                                                                        SHA256:db2b39529dfcab48614eddb8d5ef60416e8d74d6f05cfcf3a945ae25832d67df
                                                                                                                                                                                                                                        SHA512:ca9a8a1e303088f95f3e9a84a23526de97d14b4f875b5ee7617b94f5b79b073d42e46449a8c5a9ebddb1df0ee81b6abc6a604f2051dd821536b0fcdc24d061fe
                                                                                                                                                                                                                                        SSDEEP:49152:I+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:I+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                        TLSH:AFD523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2D705C1AB76FB3
                                                                                                                                                                                                                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                        File Icon

                                                                                                                                                                                                                                        Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                        Network Behavior

                                                                                                                                                                                                                                        Skipped network analysis since the amount of network traffic is too extensive. Please download the PCAP and check manually.

                                                                                                                                                                                                                                        Statistics

                                                                                                                                                                                                                                        CPU Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        Memory Usage

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        High Level Behavior Distribution

                                                                                                                                                                                                                                        Click to dive into process behavior distribution

                                                                                                                                                                                                                                        Behavior

                                                                                                                                                                                                                                        Click to jump to process

                                                                                                                                                                                                                                        System Behavior

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:0
                                                                                                                                                                                                                                        Start time:04:30:37
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\setup.msi"
                                                                                                                                                                                                                                        Imagebase:0x7ff6fef10000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:1
                                                                                                                                                                                                                                        Start time:04:30:37
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                        Imagebase:0x7ff6fef10000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:2
                                                                                                                                                                                                                                        Start time:04:30:38
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D70D155C234AB8AF4B72048C7B356A69
                                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:3
                                                                                                                                                                                                                                        Start time:04:30:38
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI6CCA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681015 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000003.00000003.1723738250.0000000004393000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:4
                                                                                                                                                                                                                                        Start time:04:30:39
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI6F8A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4681656 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1783660722.00000000048D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000002.1783660722.0000000004831000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.1735481851.0000000004473000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:5
                                                                                                                                                                                                                                        Start time:04:30:44
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSI85C2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4687312 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.1792181058.0000000004AEA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:6
                                                                                                                                                                                                                                        Start time:04:30:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding D5B63FD359B1E19FF9D4B0B8436ED48E E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:7
                                                                                                                                                                                                                                        Start time:04:30:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0x4f0000
                                                                                                                                                                                                                                        File size:47'104 bytes
                                                                                                                                                                                                                                        MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:8
                                                                                                                                                                                                                                        Start time:04:30:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Reputation:high
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:9
                                                                                                                                                                                                                                        Start time:04:30:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                        Imagebase:0xc50000
                                                                                                                                                                                                                                        File size:139'776 bytes
                                                                                                                                                                                                                                        MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:10
                                                                                                                                                                                                                                        Start time:04:30:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                        Imagebase:0xdd0000
                                                                                                                                                                                                                                        File size:74'240 bytes
                                                                                                                                                                                                                                        MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:11
                                                                                                                                                                                                                                        Start time:04:30:46
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:12
                                                                                                                                                                                                                                        Start time:04:30:47
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="irina-pyankova1574@cyberia.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OMeCIIA1" /AgentId="9242d891-5551-462a-a31d-e7fa704b4ae1"
                                                                                                                                                                                                                                        Imagebase:0x2358a2d0000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1862091988.000002358A416000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1875046101.00007FFD9B474000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C0CA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C18C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C099000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C142000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C011000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1862186018.000002358A43F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C176000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1874282974.00000235A4ADB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1872955223.00000235A46D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1862186018.000002358A43A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1862154622.000002358A430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1862186018.000002358A4A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C0C2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1873178796.00000235A47AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C0D9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1873751736.00000235A4910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C09C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1862091988.000002358A410000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1861967852.000002358A390000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000000.1807347475.000002358A2D2000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1873933138.00000235A4AA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000002.1863468169.000002358C0C4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:13
                                                                                                                                                                                                                                        Start time:04:30:52
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x15866770000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2391198378.0000015800583000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2390014423.0000015800500000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586775F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2385156718.0000015800031000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586744A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2451895454.000001587F960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.00000158672F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867217000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2385156718.000001580004C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586754A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2385156718.00000158000AD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867782000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867104000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586748D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2393075876.000001586692E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2385156718.00000158000A1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2393075876.0000015866977000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867396000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2392534933.0000015866820000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586718E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.00000158676E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2385156718.0000015800010000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867361000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396475702.0000015866BD0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586754C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867721000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.000001586748A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.00000158673B5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2382223078.0000001E658F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2385156718.000001580010F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.00000158670D7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.00000158674E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2451895454.000001587F9C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2391198378.0000015800590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2393075876.00000158668F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000D.00000002.2396800785.0000015867081000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:14
                                                                                                                                                                                                                                        Start time:04:30:53
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff76b920000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:15
                                                                                                                                                                                                                                        Start time:04:30:53
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:17
                                                                                                                                                                                                                                        Start time:04:30:54
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIA98C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4696484 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000003.1878247865.00000000043EC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.1935944853.0000000004581000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.1935944853.0000000004624000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:20
                                                                                                                                                                                                                                        Start time:04:31:10
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d7844ad1-a3e2-432c-a543-640c11544feb" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x1b2eb900000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2072267454.000001B2EBB6D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2071038379.000001B280083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2072267454.000001B2EBAE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2071038379.000001B280073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2072267454.000001B2EBB21000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2072921698.000001B2EBD90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2072267454.000001B2EBB26000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000000.2035254092.000001B2EB902000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2071038379.000001B280001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:21
                                                                                                                                                                                                                                        Start time:04:31:10
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:22
                                                                                                                                                                                                                                        Start time:04:31:10
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "68d25974-b2c9-49fd-a8f0-dfebde862097" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x29d3c080000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072331976.0000029D3C9F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C210000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C22B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072331976.0000029D3CA0D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C24C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072331976.0000029D3C981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072008202.0000029D3C470000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C250000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072331976.0000029D3CAA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C218000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C293000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072237433.0000029D3C8A2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072331976.0000029D3CA03000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2071212803.0000029D3C2E6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000016.00000002.2072331976.0000029D3C9C7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:23
                                                                                                                                                                                                                                        Start time:04:31:10
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:24
                                                                                                                                                                                                                                        Start time:04:31:14
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "f72507cc-a208-47c8-a3e9-729a1d4628ce" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x241b9e70000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2088822606.00000241B9FF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2089695421.00000241BA3A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2088822606.00000241B9FF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2088822606.00000241BA074000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2089852028.00000241BAA43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2089852028.00000241BAA53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2089852028.00000241BA9D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.2088822606.00000241BA02B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:25
                                                                                                                                                                                                                                        Start time:04:31:14
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:26
                                                                                                                                                                                                                                        Start time:04:31:14
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                        Imagebase:0x26e23070000
                                                                                                                                                                                                                                        File size:145'968 bytes
                                                                                                                                                                                                                                        MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E24059000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2652584802.0000026E23206000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23E42000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E2427B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2818435322.0000026E3C668000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2818435322.0000026E3C6B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2813212061.0000026E3C5FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2652320722.0000026E23120000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2642816590.000000DC9B3D5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E24189000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2652584802.0000026E23180000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2813212061.0000026E3C5EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E24206000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E2420C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E2402B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23F4D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23CA6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816336025.0000026E3C637000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2797332651.0000026E3C245000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2816336025.0000026E3C653000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E239F2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23BB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23991000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E2422A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23D17000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E241B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2652584802.0000026E231BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2657716214.0000026E234C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23CE8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23D26000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E241F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E2427D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2811041613.0000026E3C5C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001A.00000002.2658520317.0000026E23AAB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:27
                                                                                                                                                                                                                                        Start time:04:31:15
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                        Imagebase:0x7ff76b920000
                                                                                                                                                                                                                                        File size:72'192 bytes
                                                                                                                                                                                                                                        MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:28
                                                                                                                                                                                                                                        Start time:04:31:15
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:29
                                                                                                                                                                                                                                        Start time:04:31:17
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "1a0c70a9-8890-4c20-9157-935212dce1a7" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x15268ab0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2353581735.0000015268BB1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.000001520026D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2355103857.0000015268DC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2353581735.0000015268B70000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.0000015200270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2360561479.0000015269FE8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.00000152001AC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.0000015200001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2353581735.0000015268BAB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.0000015200095000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2358359058.0000015269EA6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2355929789.0000015269C40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.000001520023F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2353581735.0000015268BF9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2357856647.0000015269E10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2357299685.0000015269D0F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2341203187.0000015200304000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:30
                                                                                                                                                                                                                                        Start time:04:31:17
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:31
                                                                                                                                                                                                                                        Start time:04:31:18
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff717ee0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2211125948.000002440CC50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2212653983.000002440CEA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2211125948.000002440CC5B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000003.2117297422.000002440CEC0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2211125948.000002440CC73000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:32
                                                                                                                                                                                                                                        Start time:04:31:18
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:33
                                                                                                                                                                                                                                        Start time:04:31:18
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff77bc10000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2209070573.000001BF3A2F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:34
                                                                                                                                                                                                                                        Start time:04:31:18
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                        Imagebase:0x7ff6ebe50000
                                                                                                                                                                                                                                        File size:4'630'384 bytes
                                                                                                                                                                                                                                        MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:35
                                                                                                                                                                                                                                        Start time:04:31:20
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "98b3abfc-f9c9-4d55-adfe-91d1ba1b9071" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x239e3240000
                                                                                                                                                                                                                                        File size:72'744 bytes
                                                                                                                                                                                                                                        MD5 hash:67FEF41237025021CD4F792E8C24E95A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2981767076.00000239E341B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2990093552.00000239E3650000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000000.2140448017.00000239E3242000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2977651521.000000C5079A1000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2981767076.00000239E3378000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2981767076.00000239E3330000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2991884534.00000239E3B2B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2981767076.00000239E3370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2991884534.00000239E3BC1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2991884534.00000239E3BB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2981767076.00000239E333C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2981767076.00000239E33BC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000023.00000002.2991884534.00000239E3AB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:36
                                                                                                                                                                                                                                        Start time:04:31:20
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:37
                                                                                                                                                                                                                                        Start time:04:31:26
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x2223b320000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2266312927.0000022255535000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2252746004.000002223B503000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2252746004.000002223B4C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2266264698.0000022255337000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2253887131.000002223B6E2000.00000002.00000001.01000000.0000001D.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2263051148.0000022254606000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2257304683.000002223C37B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2278293079.00007FFDF51E9000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2252746004.000002223B505000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2257304683.000002223BDD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000000.2199015622.000002223B322000.00000002.00000001.01000000.0000001B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2252746004.000002223B54F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2254493143.000002223B7F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2252487588.000002223B410000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2263051148.00000222545A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2266485318.0000022255546000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2252746004.000002223B4CC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2257304683.000002223BEBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:38
                                                                                                                                                                                                                                        Start time:04:31:26
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:39
                                                                                                                                                                                                                                        Start time:04:31:28
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\System32\svchost.exe -k smphost
                                                                                                                                                                                                                                        Imagebase:0x7ff6eef20000
                                                                                                                                                                                                                                        File size:55'320 bytes
                                                                                                                                                                                                                                        MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:false
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:40
                                                                                                                                                                                                                                        Start time:04:31:40
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "d1b6a42a-05b0-4cdf-a34a-0f09be280e65" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x227446b0000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2392021388.0000022745121000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2424422551.000002275E8C2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2477771148.00007FFDF51F0000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2388496843.0000022744900000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2388496843.0000022744908000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2425981574.000002275EAE0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2392021388.00000227456CD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2388008471.00000227447A0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2390969055.0000022744A80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2419891016.000002275D8B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2388496843.0000022744985000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2388496843.0000022744949000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2392021388.0000022745130000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000028.00000002.2392021388.000002274520D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:41
                                                                                                                                                                                                                                        Start time:04:31:40
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:42
                                                                                                                                                                                                                                        Start time:04:31:47
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "13dc0fc3-697b-4a62-a255-2d8ddb62576d" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x2224f4c0000
                                                                                                                                                                                                                                        File size:178'728 bytes
                                                                                                                                                                                                                                        MD5 hash:83FD950ED584099A4125EFBA77E26BAA
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2579705714.000002224F71B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2578673445.000002224F690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2579705714.000002224F6E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2623921845.00000222687AC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2630520485.00000222688B9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2584934193.000002224FFB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2579705714.000002224F71F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2584934193.00000222500B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2616454383.00000222686A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2584934193.000002224FE81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2584934193.000002224FFFF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2619976879.0000022268709000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2579705714.000002224F762000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002A.00000002.2584934193.0000022250002000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:43
                                                                                                                                                                                                                                        Start time:04:31:48
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:44
                                                                                                                                                                                                                                        Start time:04:31:48
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff717ee0000
                                                                                                                                                                                                                                        File size:289'792 bytes
                                                                                                                                                                                                                                        MD5 hash:8A2122E8162DBEF04694B9C3E0B6CDEE
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2507664137.0000026BDEA80000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2507433085.0000026BDE983000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2507433085.0000026BDE96B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000002.2507433085.0000026BDE960000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002C.00000003.2422406398.0000026BDEAA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:45
                                                                                                                                                                                                                                        Start time:04:31:48
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:46
                                                                                                                                                                                                                                        Start time:04:31:48
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\cscript.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
                                                                                                                                                                                                                                        Imagebase:0x7ff77bc10000
                                                                                                                                                                                                                                        File size:161'280 bytes
                                                                                                                                                                                                                                        MD5 hash:24590BF74BBBBFD7D7AC070F4E3C44FD
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002E.00000002.2505676018.000002C239C40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:47
                                                                                                                                                                                                                                        Start time:04:31:51
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "85c4bf9d-6672-4ff6-9d39-c5253fdd9505" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x21946f00000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2772375946.00000061E76F2000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2791766189.0000021947270000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000000.2451773042.0000021946F02000.00000002.00000001.01000000.00000025.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2776713478.00000219470A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2776713478.000002194712D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2841602569.0000021960166000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2841602569.00000219600E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2776713478.00000219470E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2790873443.0000021947235000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2793449512.0000021947A18000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2793449512.00000219478A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2793449512.0000021947B2A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:48
                                                                                                                                                                                                                                        Start time:04:31:51
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:49
                                                                                                                                                                                                                                        Start time:04:31:54
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
                                                                                                                                                                                                                                        Imagebase:0x1e1f6f00000
                                                                                                                                                                                                                                        File size:57'896 bytes
                                                                                                                                                                                                                                        MD5 hash:E9794F785780945D2DDE78520B9BB59F
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2486274448.000001E1F70B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2486344295.000001E1F7157000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2483872903.000001E180083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2486344295.000001E1F70D8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2486344295.000001E1F70D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2483872903.000001E180001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2486344295.000001E1F70EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000031.00000002.2486344295.000001E1F710E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:50
                                                                                                                                                                                                                                        Start time:04:31:54
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:52
                                                                                                                                                                                                                                        Start time:04:31:56
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5217f7e0-ee66-4f0d-8baa-558190773e5c" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x1a5df040000
                                                                                                                                                                                                                                        File size:33'320 bytes
                                                                                                                                                                                                                                        MD5 hash:DB1DB66EBD9B15B7DCD55374EA56EE5E
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2994977412.000001A5DFBA5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2982908855.000001A5DF160000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2982908855.000001A5DF1A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2977659147.000000180C351000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2991233857.000001A5DF3B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2994977412.000001A5DFA31000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2992789220.000001A5DF4B2000.00000002.00000001.01000000.00000044.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000000.2502364341.000001A5DF042000.00000002.00000001.01000000.0000002A.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2982908855.000001A5DF16C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2982908855.000001A5DF1A6000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2982908855.000001A5DF1EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2991622488.000001A5DF492000.00000002.00000001.01000000.00000042.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2994977412.000001A5DFDC5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000034.00000002.2994977412.000001A5DFBCC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:53
                                                                                                                                                                                                                                        Start time:04:31:56
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:false

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:54
                                                                                                                                                                                                                                        Start time:04:31:57
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "8fd4c861-1232-40d7-b066-6ca65149b9d1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x1e289ec0000
                                                                                                                                                                                                                                        File size:398'384 bytes
                                                                                                                                                                                                                                        MD5 hash:5E3252E0248B484E76FCDBF8B42A645D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710784303.000001E28A020000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710784303.000001E28A05A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28B0B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2841757741.000001E2A4065000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710083269.000001E289FB0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2725439667.000001E28A2B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28B0BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AE19000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710784303.000001E28A03B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2842753455.000001E2A408D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28B0E7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28B0A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2842621858.000001E2A4089000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2841681973.000001E2A3E67000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AAD9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AF9F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710784303.000001E28A028000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28B0ED000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710784303.000001E28A069000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2844259514.000001E2A4196000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AC81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AF64000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2829189532.000001E2A30B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2903937858.00007FFDF51F0000.00000004.00000001.01000000.0000001C.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28A9F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AC8A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AC77000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2710784303.000001E28A0A2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000036.00000002.2732182242.000001E28AE81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:55
                                                                                                                                                                                                                                        Start time:04:31:57
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:56
                                                                                                                                                                                                                                        Start time:04:32:01
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "5c8848b3-9aa3-46df-aa22-dd004b8c84e1" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x208f9690000
                                                                                                                                                                                                                                        File size:201'256 bytes
                                                                                                                                                                                                                                        MD5 hash:CDE6BA86139AE458ABC24DAD31A66465
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2699316243.00000208F991C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.0000020880194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2707813433.00000208F9B02000.00000002.00000001.01000000.00000036.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.00000208805EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000000.2548562734.00000208F9692000.00000002.00000001.01000000.0000002B.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.00000208800D6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.00000208805F9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2699316243.00000208F995F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.00000208802C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.0000020880359000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.0000020880001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2699316243.00000208F9910000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2723586863.00000208FA7E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.000002088019E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2699316243.00000208F99A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2707965416.00000208F9B10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.0000020880242000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.0000020880268000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2699316243.00000208F9953000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2662924761.000002088020E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:57
                                                                                                                                                                                                                                        Start time:04:32:01
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:58
                                                                                                                                                                                                                                        Start time:04:32:01
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                                                                                                                                                                                                                                        Imagebase:0x7ff6fef10000
                                                                                                                                                                                                                                        File size:69'632 bytes
                                                                                                                                                                                                                                        MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2763756199.00000167660B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2695767843.0000016765830000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2627145054.00000167660AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2763408092.0000016765750000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2761811783.000001676574E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2762028585.0000016765749000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2761544204.000001676573B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2698164334.00000167660AF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000002.2763352329.000001676574A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:59
                                                                                                                                                                                                                                        Start time:04:32:02
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 08676A301D1865B6D18C209455EE8F01 E Global\MSI0000
                                                                                                                                                                                                                                        Imagebase:0x490000
                                                                                                                                                                                                                                        File size:59'904 bytes
                                                                                                                                                                                                                                        MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:60
                                                                                                                                                                                                                                        Start time:04:32:02
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):true
                                                                                                                                                                                                                                        Commandline:rundll32.exe "C:\Windows\Installer\MSIB494.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_4764937 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                        Imagebase:0x1e0000
                                                                                                                                                                                                                                        File size:61'440 bytes
                                                                                                                                                                                                                                        MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003C.00000003.2566734435.00000000041E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:61
                                                                                                                                                                                                                                        Start time:04:32:03
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 9242d891-5551-462a-a31d-e7fa704b4ae1 "17f294c0-6fa0-4525-9569-46a8de27528e" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OMeCIIA1
                                                                                                                                                                                                                                        Imagebase:0x2396d6a0000
                                                                                                                                                                                                                                        File size:219'696 bytes
                                                                                                                                                                                                                                        MD5 hash:01807774F043028EC29982A62FA75941
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Yara matches:
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.000002390001E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900231000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2643606210.000002396E7EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2633279331.000002396D7D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900240000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900234000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2633279331.000002396D79C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900239000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.000002390023B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900243000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900020000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2633279331.000002396D81C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2633279331.000002396D790000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.000002390022F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.000002390023E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.0000023900175000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000000.2569497839.000002396D6A2000.00000002.00000001.01000000.0000002E.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2633279331.000002396D7D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2643246448.000002396DB30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.000002390022D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2618275203.000002390022B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003D.00000002.2643606210.000002396E780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                        • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, Author: Joe Security
                                                                                                                                                                                                                                        Antivirus matches:
                                                                                                                                                                                                                                        • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        General

                                                                                                                                                                                                                                        Target ID:62
                                                                                                                                                                                                                                        Start time:04:32:03
                                                                                                                                                                                                                                        Start date:17/12/2024
                                                                                                                                                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                        Wow64 process (32bit):false
                                                                                                                                                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                        Imagebase:0x7ff7699e0000
                                                                                                                                                                                                                                        File size:862'208 bytes
                                                                                                                                                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                        Has elevated privileges:true
                                                                                                                                                                                                                                        Has administrator privileges:true
                                                                                                                                                                                                                                        Programmed in:C, C++ or other language
                                                                                                                                                                                                                                        Has exited:true

                                                                                                                                                                                                                                        Disassembly

                                                                                                                                                                                                                                        Reset < >

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 04471630 Relevance: 2.7, Strings: 2, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $tq$$tq
                                                                                                                                                                                                                                          • API String ID: 0-1837209516
                                                                                                                                                                                                                                          • Opcode ID: 8b199f7c179965e40a1d0435debbdca3078a4d9e52837fbfacae4de9319e219c
                                                                                                                                                                                                                                          • Instruction ID: 2084e5eee1df906700be21a75a45c671bdf8451cf17ac322345106b45362f122
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8b199f7c179965e40a1d0435debbdca3078a4d9e52837fbfacae4de9319e219c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4651CD71B002089FCF15DF79D8806EEBBB6EBC9350B14812BE409DB365EA30AD46C791
                                                                                                                                                                                                                                          Function 04471080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 18b1f34f0bfdeb2115f6b81c8d4acd192dabb31fd753b87e73aa0c475f35d5c6
                                                                                                                                                                                                                                          • Instruction ID: 379175f8116f33ebb4e6e45b0ab34ae79fe9d957668cf23b702ad35561c842fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18b1f34f0bfdeb2115f6b81c8d4acd192dabb31fd753b87e73aa0c475f35d5c6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FB71A575B001199FEF149BB5D8546AEBBA7EFC8310F14802AE506AB394DF74EC438751
                                                                                                                                                                                                                                          Function 04470C1C Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 62401f721b18010303d3a571eb25b25a16d498249ab02225925b24ffbec9b380
                                                                                                                                                                                                                                          • Instruction ID: 99f88c5d8796d15b7f7983d4538d07cdec2f113eb6e9f37416c25934b2f85d13
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62401f721b18010303d3a571eb25b25a16d498249ab02225925b24ffbec9b380
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3251E430B04245AFEB149B68D4647FA7BF6EF8D310F14906AD406E7382DE78AC068791
                                                                                                                                                                                                                                          Function 04472644 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: bb8bc38757c90a24ca83f1be5de69f03982f69702a95a92439a38d4d2b685d06
                                                                                                                                                                                                                                          • Instruction ID: 48dfa8cc6698b041eed01e6065914f461429549ec8843a368647b72706c0d7e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bb8bc38757c90a24ca83f1be5de69f03982f69702a95a92439a38d4d2b685d06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F312821B093540BEF255A3564A03FF3B9AEFC5214F0484BBD846DB382DDA8AC0743A1
                                                                                                                                                                                                                                          Function 04472764 Relevance: .4, Instructions: 397COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f6defb0aece703ff367774c150e01a35d865997dcde9d2ef263c2d6451eae5f9
                                                                                                                                                                                                                                          • Instruction ID: de9d33d3623fe7d96121217001c6996d5ad5e2418d6b42b92faf2f8f424192cc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6defb0aece703ff367774c150e01a35d865997dcde9d2ef263c2d6451eae5f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51E09BB1C542458FC754DF6D94802E67FF5FE15109B5041BFC889C6651FA329543CF90
                                                                                                                                                                                                                                          Function 044723B8 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7ee455ed9aeab44fd5c892b7e76a242bbe4676d345da463da5096dd057832712
                                                                                                                                                                                                                                          • Instruction ID: 2630d04dce5194e4b9d1e69c0ccdf6fd1ee089df82d2bc938fa4c48bba5fbb3e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7ee455ed9aeab44fd5c892b7e76a242bbe4676d345da463da5096dd057832712
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8512371B052158FDB10CB68D894AABBBB1FF45318B1581E6E418DB362EB71EC43C791
                                                                                                                                                                                                                                          Function 04472268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f512b359221c83220ca7644777f45302d68b1089bdc3a38f318ad71c53d00bb0
                                                                                                                                                                                                                                          • Instruction ID: 1169a266edce3e82567c5cbaf6e8eaaf068bbb2f8b0f1a2d8ae618e814fe8041
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f512b359221c83220ca7644777f45302d68b1089bdc3a38f318ad71c53d00bb0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BB410575B002189FCB54DF69D98099EBBB6FF88310B10816AE905EB364DB31EC42CB90
                                                                                                                                                                                                                                          Function 04472664 Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5f4f15869d25641a8f336d4269c15afeebc40da3cb1da96e3f796c315a62d26a
                                                                                                                                                                                                                                          • Instruction ID: 0e5cdcf9ab694e7ff32e87eec16bad6996b284f961e2f4495bd5116b1d510e97
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5f4f15869d25641a8f336d4269c15afeebc40da3cb1da96e3f796c315a62d26a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F62180316413296FEB01266974653FB3F4CEF42369F1084F7ED8996352D854E88793E0
                                                                                                                                                                                                                                          Function 04471050 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d9fce7dc69236f14ebd002c3425fb091b0388beaad0a119fd8b330d5383a6143
                                                                                                                                                                                                                                          • Instruction ID: 000cd315e68aacbf42c91e7d97758ca1f5431424e36b915a0d80b88a0f31f426
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d9fce7dc69236f14ebd002c3425fb091b0388beaad0a119fd8b330d5383a6143
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A021F832B0126497DF10DA7998906EF7BAADF88255F04907BD946DB346EA30E907C391
                                                                                                                                                                                                                                          Function 04472258 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f22bc2fd33b0260c053fb6c6de503108aae5c06bbbe2d048216404e16ed3195
                                                                                                                                                                                                                                          • Instruction ID: 187558353478eb2faade0e849c5e11b3cc1e8fa87977567db05dbd807aa56fd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f22bc2fd33b0260c053fb6c6de503108aae5c06bbbe2d048216404e16ed3195
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC21EA75A112189FCB54DF69D8809DEBBF1FF4C710F10816AE915EB364EB31A842CB90
                                                                                                                                                                                                                                          Function 04470F20 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18042b9e27da356e4f0a4b0a4dfee403030145c8a319ca8ef5721dbd09987fc7
                                                                                                                                                                                                                                          • Instruction ID: 8df9a14d309b30899c6644c05e2738a37fd84b60a8b9ab1313d48b7af9cdaf03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18042b9e27da356e4f0a4b0a4dfee403030145c8a319ca8ef5721dbd09987fc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1701BD66B0A3501BDF2516BA28942AF7F49CFC5360F05846BED08CF302ED64DC0782E2
                                                                                                                                                                                                                                          Function 04470F30 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3487fd4e420b9da11f9986faa6209c22145861ca4ce718c3d3cc9c28672b580b
                                                                                                                                                                                                                                          • Instruction ID: 2b5c2fcfbefbb1eaf6f06cad845cdd6b1a5ecf1fc9f3167c71d27aabe4f449f6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3487fd4e420b9da11f9986faa6209c22145861ca4ce718c3d3cc9c28672b580b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E11442160E2894FDB1257B464A11D93F659F42204B25889BC84ACF343D809EC0383E3
                                                                                                                                                                                                                                          Function 04471958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a3579da6961e6a702dc78aaac89492e4c393248c587fe7905c871a4fe5b50360
                                                                                                                                                                                                                                          • Instruction ID: e0c810d7556139e8648b65a938ba61eb32ecec3891aa257f23bb227b75197790
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3579da6961e6a702dc78aaac89492e4c393248c587fe7905c871a4fe5b50360
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52115135600155EFCB04DF64E495AB9BBB6EF8C310F249469E80A97341CF79AC4ADB90
                                                                                                                                                                                                                                          Function 04471378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f9519246afdd8de4e3edcb526fc342e2af164b8c084b0ab21e9a1420d0c09be
                                                                                                                                                                                                                                          • Instruction ID: 8ceb17e10360eb3d95f2d62b1b27f52a1376f9b656337668464adf3091a28b6c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f9519246afdd8de4e3edcb526fc342e2af164b8c084b0ab21e9a1420d0c09be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3921F770D006498EDB20DFAAC484AEEFBF4FF98324F14852ED459A7640C775A905CFA1
                                                                                                                                                                                                                                          Function 04471380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8eb0760cf646d322bbe47531ea2237ae1c5fe0a64aab68389b6333811c541190
                                                                                                                                                                                                                                          • Instruction ID: f30caf24f1248f430c7d81b6e776409488434fde733580e4b2907652d2a9bc24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8eb0760cf646d322bbe47531ea2237ae1c5fe0a64aab68389b6333811c541190
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 641106B0D002498FDB10DFAAC481AEEFBF4FF88324F10841AD419A7240CB796905CFA1
                                                                                                                                                                                                                                          Function 04471968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e72e5b38e0a839ce8e0278898f67648eca9e3148bc189db27b37adb1f163862d
                                                                                                                                                                                                                                          • Instruction ID: 4ef3eddb86266898be971313dade506c1bb6b57f7e6ce022cd7aa733ba5dd00c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e72e5b38e0a839ce8e0278898f67648eca9e3148bc189db27b37adb1f163862d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A112435600155EFDB04DF54E454AB97BBAEF8C311F249069E809E7341CF79AC49DB90
                                                                                                                                                                                                                                          Function 04470F40 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 966fcccd58487fe2caf529ba74352659956b05eb7d7fd951e6e2b57e2cb14d03
                                                                                                                                                                                                                                          • Instruction ID: 54edaa569e045648a5c23756073a1d55a23ad2febc2c0bc2a9390e1d80d17c19
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 966fcccd58487fe2caf529ba74352659956b05eb7d7fd951e6e2b57e2cb14d03
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AA0170703443088FF704A760E8A47BA7BA0EB44304F14885AD58D8F7C2C511FC47C302
                                                                                                                                                                                                                                          Function 04471440 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b23e8f9b7f4c6092fbc0158f6bcfccf88bf12e727a529a3ce77841df2eaf0a42
                                                                                                                                                                                                                                          • Instruction ID: 108a61896cae63c9e45745f94923956c6fbdf13464562cd9007abb7fd9c55b5c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b23e8f9b7f4c6092fbc0158f6bcfccf88bf12e727a529a3ce77841df2eaf0a42
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4101B1706093866FCF199F7878761673FEADF8A20070518AFD58ACF252E924D80DC791
                                                                                                                                                                                                                                          Function 0447182A Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f5839afe07bacc4022c9f9717b53eba4fc783ffb3f84cf017d97d6ff555289ef
                                                                                                                                                                                                                                          • Instruction ID: bc0fbef76edc4f61baf97e5ecbd2bdc5997339b6a7ce9ca2b0cb091cf97a8875
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f5839afe07bacc4022c9f9717b53eba4fc783ffb3f84cf017d97d6ff555289ef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8E01AD31A1160497FF28AA6985557EF7BFA9B88704F21842FD406F3781CE796D028BD1
                                                                                                                                                                                                                                          Function 041DD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1725927076.00000000041DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_41dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c06189577ed3e40d8addb36707af48cd4dd6a961b1363e1a88a4e0d6da2f4657
                                                                                                                                                                                                                                          • Instruction ID: c40889d6ba0dd41e08be3bbe8f2626cf7f70948cabbfde9e4ed34a407f706bda
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c06189577ed3e40d8addb36707af48cd4dd6a961b1363e1a88a4e0d6da2f4657
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 88012BB1508340AAE7208E26FCC4B67BF98DFC1320F18C55AED080F142D379A841CAB1
                                                                                                                                                                                                                                          Function 04472A98 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9433057c334f8c1421d5c171e67f0108c8d630f312fbdb35d17de08b95c980e5
                                                                                                                                                                                                                                          • Instruction ID: af63c0151a45456acefa921d3d0f0bdd0c67ca31bea4aae3b4a0fc853fbe220c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9433057c334f8c1421d5c171e67f0108c8d630f312fbdb35d17de08b95c980e5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DF02B2130531017DB34991764D07FB779EFFD4714B1440ABE945C7352EAA4684752A0
                                                                                                                                                                                                                                          Function 041DD006 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000002.1725927076.00000000041DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 041DD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_2_41dd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 40aeec24d6bd4d70432978226b6d08a52a14e71f2ee53cd7dc6fbe7e02e23dfb
                                                                                                                                                                                                                                          • Instruction ID: 8e00dc31c28cbd2bd194bca57fb4e90335b0ba5997ca58026b854fbd0498197c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40aeec24d6bd4d70432978226b6d08a52a14e71f2ee53cd7dc6fbe7e02e23dfb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8B0171B240E3C0AEE7128B259C94B52BFA4EF53224F19C1DBD9888F197C3699844C772
                                                                                                                                                                                                                                          Function 044725D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 08303582952da8531132973741bbff22909fab252c9040fafcdad946e74f24df
                                                                                                                                                                                                                                          • Instruction ID: 9af96784dadb077a8066d34e9d36505e8747997f5ae829161c0a91f1ce49c646
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 08303582952da8531132973741bbff22909fab252c9040fafcdad946e74f24df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01F0B432A200548BDB089568E0941FE77BADBC9216B20803BD946A7280FF205D0BCA90
                                                                                                                                                                                                                                          Function 04471BB0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c48f12178e8836207c5201db552d3a111be1c4978d073513860dfec6c5c38935
                                                                                                                                                                                                                                          • Instruction ID: 44ed6defe315e325db75810d2e2e98611fa0be9cca2df2d8f9dcfb18e9885af7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c48f12178e8836207c5201db552d3a111be1c4978d073513860dfec6c5c38935
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4F05236B063502BDB205AA664D07ABAF48EBD4160F11406BEE488B302EA60DC0382E0
                                                                                                                                                                                                                                          Function 04471431 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 893d036403c22f168e4d730db3bff89dbf86c46fa4ef2331858c15b075efa3d5
                                                                                                                                                                                                                                          • Instruction ID: f29b7bd3f90460c2eec0594df6bf4299ba10270d23079e38a542e0fb40c9567d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 893d036403c22f168e4d730db3bff89dbf86c46fa4ef2331858c15b075efa3d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DF0C2706082465ECF189F7474661663FAAEFC9300704187FC58ACF252F964D809C790
                                                                                                                                                                                                                                          Function 044725E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 57d81fa5c7930912bca9f45c3c9900441191036ba9448dc568087706c6044e53
                                                                                                                                                                                                                                          • Instruction ID: b7642df05e3f13a7e17c7e3d1482856a33b63a0b87d117bf9355dfdc8c861f10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57d81fa5c7930912bca9f45c3c9900441191036ba9448dc568087706c6044e53
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 87E0A032F1015887CB089669E4544EEB7BAEBC8221F108026D802A3240EF705D0E8B91
                                                                                                                                                                                                                                          Function 04472654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7842e3b6d7e46948c264cbabcf8d9c1eeed93452b4762174d1c51ce2f43c2309
                                                                                                                                                                                                                                          • Instruction ID: 66685d7416a69b7caa716b348df92ee4dec110be0095c65f255aa3ba378749fd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7842e3b6d7e46948c264cbabcf8d9c1eeed93452b4762174d1c51ce2f43c2309
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3DE09A2071432942FF382D6A54507E726CEAB85718F000CBBC8818B783E8E0F84B03E2
                                                                                                                                                                                                                                          Function 04472590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 95f7d070ef61d213d2832e823e62557e84992521315be2d123ae8919ec33d522
                                                                                                                                                                                                                                          • Instruction ID: 3f96bafaa349a9b263481056006471649ed63a3e650ccd0c5bbb76e55b8d55e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95f7d070ef61d213d2832e823e62557e84992521315be2d123ae8919ec33d522
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8BE0C2B00052140BF706A7B8B8A11C93F51EF4960432298A6D5828F523FE10588B43C2
                                                                                                                                                                                                                                          Function 044717F0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f54e04a83951773521b8e9f52d741c6c02670db1651dc5aa88785aad573e6dc7
                                                                                                                                                                                                                                          • Instruction ID: c05d9ed8a7db2f541d5fa033ad3fd1e004e651a3e1c2b052456e0797e87d78a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f54e04a83951773521b8e9f52d741c6c02670db1651dc5aa88785aad573e6dc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CD02E7322A2640FC309E760B49A4D57F64EB5A221304406BE9458B263ED200C93C3C0
                                                                                                                                                                                                                                          Function 04471C29 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 25c2aae6a45f71c4fe48444160e999a5fb219489708e68cb253110990df33d5d
                                                                                                                                                                                                                                          • Instruction ID: c0a49c2891659c89477592f560fbf3cf9c4c2fafd5debe9786b370d188b77e39
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 25c2aae6a45f71c4fe48444160e999a5fb219489708e68cb253110990df33d5d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3C0129B91B6651BDF1511E52D821C69F048B86B64B024897D95CEA20690459D0742E7
                                                                                                                                                                                                                                          Function 04470C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 521fbd3e49ac5c5be0460e678869571d7179e6b0ef79eea94d34f75ffa858b5f
                                                                                                                                                                                                                                          • Instruction ID: ebf73ea98ae4601cd405a1b12e6c17caf41014bbee1be977a4d734e8bd9e87ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 521fbd3e49ac5c5be0460e678869571d7179e6b0ef79eea94d34f75ffa858b5f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D7D0A77232141C6B56046619E8458AA7B99E7883613508837F90287310ED717C469395
                                                                                                                                                                                                                                          Function 04472A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d62e007aaff7d63f66b171b64498d40240bc30a11ac41bec51a14f33d5184027
                                                                                                                                                                                                                                          • Instruction ID: 98165dcbcd27308c7e7fcfbe46c070d6f73b8284c5bd8eebd15c58cc61e34a11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d62e007aaff7d63f66b171b64498d40240bc30a11ac41bec51a14f33d5184027
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1EE0E2B0D002099F8B90EFB995415AABBF4BB48204B1085AE8448D7201FB72AA028B91
                                                                                                                                                                                                                                          Function 04470440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 16b8a5f1dfcc89d57e5171f607b4598d8ea25f62acfbee0b9c7656b5971303da
                                                                                                                                                                                                                                          • Instruction ID: e1db8161e0751c8a90e2ae11b937d7fcceabe585a3155bd6c68851a774418e0b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 16b8a5f1dfcc89d57e5171f607b4598d8ea25f62acfbee0b9c7656b5971303da
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEC08C7248A7815FE302829C08914DB2BB4FA73614389E6ABC0C6CA957F12E6467C232
                                                                                                                                                                                                                                          Function 04470F50 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 95cc4aa947231657ebcb3ec067658a75a9d3d5917534094d73d5077f224eb440
                                                                                                                                                                                                                                          • Instruction ID: 5e08608f293a085cc8e7bc7b0b6f6922cd039fc3dd84af58fa2e99d528c87112
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95cc4aa947231657ebcb3ec067658a75a9d3d5917534094d73d5077f224eb440
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57C08C20B4120A8EFE202BA7261837A394D9B80708F00AC5BB80E89200EC69F8120189
                                                                                                                                                                                                                                          Function 04470E7C Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000003.00000003.1724918142.0000000004470000.00000040.00000800.00020000.00000000.sdmp, Offset: 04470000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_3_3_4470000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c9834e3a670c6528f8fa2110c43f47a1f91530f1b635de20f643f183072c6f2e
                                                                                                                                                                                                                                          • Instruction ID: b428de2b829c2c6a58db9a64778598f862d07d4245ec29439ab1a26444336d86
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9834e3a670c6528f8fa2110c43f47a1f91530f1b635de20f643f183072c6f2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 68B0128960500112B910A6374CD45FA00829BC0304BC4EC071002AC0096C24F0031005

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 06B80040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782136293.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6b80000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;tq
                                                                                                                                                                                                                                          • API String ID: 0-3840972847
                                                                                                                                                                                                                                          • Opcode ID: a69da43804a667d722c047991ab72803c3cfaf602c6939db27e0d832aaced37d
                                                                                                                                                                                                                                          • Instruction ID: 58a2f7d0fe5f8dd4dcad48a7231e6070c60f718e7d9cae26a1298780ef88d37d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a69da43804a667d722c047991ab72803c3cfaf602c6939db27e0d832aaced37d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90225C70E1061ACFDB14EF74C85469DB7B2FF89304F1186A9E845AB350EB74E989CB90
                                                                                                                                                                                                                                          Function 0475746A Relevance: 20.9, Strings: 16, Instructions: 921COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: vq$$&uq$(_tq$4'tq$4'tq$4'tq$4'tq$4ctq$4ctq$@btq$|-uq$$tq$$tq$ctq$ctq$vq
                                                                                                                                                                                                                                          • API String ID: 0-1742163295
                                                                                                                                                                                                                                          • Opcode ID: 1bd63f1455d9f834d17c40bb4852edb7674f67c3aea71b61844cf41e7bc08e5b
                                                                                                                                                                                                                                          • Instruction ID: 1c076761daa14c00dc71ee0d88ad57065ef4735764962b21c6465f46235aef61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1bd63f1455d9f834d17c40bb4852edb7674f67c3aea71b61844cf41e7bc08e5b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22A21A71901218DFDB259FA1D854AEDBBB2FF89300F1044EAD509AB360DB31AE85DF91
                                                                                                                                                                                                                                          Function 047574C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: vq$$&uq$(_tq$4'tq$4'tq$4'tq$4'tq$4ctq$4ctq$@btq$|-uq$$tq$$tq$ctq$ctq$vq
                                                                                                                                                                                                                                          • API String ID: 0-1742163295
                                                                                                                                                                                                                                          • Opcode ID: e3a418133500113c5b82a1ae4234399e1863a92d3009b24d78df6dcefa500361
                                                                                                                                                                                                                                          • Instruction ID: 44b93c00105915ec2b12692bb7c2c3fc9bad5e3281606d46fe73474a30683c60
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3a418133500113c5b82a1ae4234399e1863a92d3009b24d78df6dcefa500361
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9992F771901218DFDB259FA1D854AEEBBB2FF89300F1045E9D909AB350DB31AE81DF91
                                                                                                                                                                                                                                          Function 0475B688 Relevance: 4.0, Strings: 3, Instructions: 223COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$\;tq$|sq
                                                                                                                                                                                                                                          • API String ID: 0-707985654
                                                                                                                                                                                                                                          • Opcode ID: c5c9688bdbc7572a4c947b4b9b483e6b76546fb318fff3be306d9038492474bf
                                                                                                                                                                                                                                          • Instruction ID: 0634de9286c469eace3e5ad57613c610c104b0dc6f25bc33449f1d3f393776a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5c9688bdbc7572a4c947b4b9b483e6b76546fb318fff3be306d9038492474bf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1561D5B4B045164BDB189A7B885067EF7ABBFD4344B14842ADC05DB3A4EE74FC0287E1
                                                                                                                                                                                                                                          Function 0475BDB0 Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Xxq$Xxq$Q?n^
                                                                                                                                                                                                                                          • API String ID: 0-2877184835
                                                                                                                                                                                                                                          • Opcode ID: 2e88509eef52a52b3a5606a1c5224c15e45b54d3cad10aadf514010a91d4ee1c
                                                                                                                                                                                                                                          • Instruction ID: 0484e7f82bcbeb0f56f9d7e817efac565c70814c53097124f14381a3f86c95b3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e88509eef52a52b3a5606a1c5224c15e45b54d3cad10aadf514010a91d4ee1c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A716D747002018FDB05DF79D4905AABBE2FF88204B148A6AE906DF365EB74FC46CB91
                                                                                                                                                                                                                                          Function 0475BAD8 Relevance: 3.9, Strings: 3, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$(xq$(xq
                                                                                                                                                                                                                                          • API String ID: 0-984040436
                                                                                                                                                                                                                                          • Opcode ID: 94a96b11ae44ffe6f19b7b3c35d2b7e54b220138e7a86620ffcfdc236064ea94
                                                                                                                                                                                                                                          • Instruction ID: 92a7af90167e024b86bb5c8cdbbfcd3da32c263c0d974bda566503edac7709b7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 94a96b11ae44ffe6f19b7b3c35d2b7e54b220138e7a86620ffcfdc236064ea94
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B51BA317041148FDB04EF69D484AAEBBE6EF8435071440AAE90ADF3A1EEB0FD01CB95
                                                                                                                                                                                                                                          Function 047585C0 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$d
                                                                                                                                                                                                                                          • API String ID: 0-4179481474
                                                                                                                                                                                                                                          • Opcode ID: e850e6994c0229a658ebacb41483392b24bdbbdbabe05eb3c7976688c5885034
                                                                                                                                                                                                                                          • Instruction ID: c9d4772a9c790e1049eeff84348e6eec3d63611b17489e92423d85e54e097065
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e850e6994c0229a658ebacb41483392b24bdbbdbabe05eb3c7976688c5885034
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07028C74A006058FDB14DF29C48496ABBF2FF88314B16CA69D85ADB366D730FC52CB91
                                                                                                                                                                                                                                          Function 047599B8 Relevance: 2.9, Strings: 2, Instructions: 373COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$(xq
                                                                                                                                                                                                                                          • API String ID: 0-1913156493
                                                                                                                                                                                                                                          • Opcode ID: 42bf2ed96584f22615fb0de13ff16ff216b517ca756cbba4098abc53cd96542f
                                                                                                                                                                                                                                          • Instruction ID: 8d5072927e132e5b725035fd8e84f33687c0a75d3857c20f77f470499124068e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42bf2ed96584f22615fb0de13ff16ff216b517ca756cbba4098abc53cd96542f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44F135B0A003598FDB05CFA9C884A9DBBB2FF89300F148595D849AF3A5DB74ED45CB90
                                                                                                                                                                                                                                          Function 04751630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $tq$$tq
                                                                                                                                                                                                                                          • API String ID: 0-1837209516
                                                                                                                                                                                                                                          • Opcode ID: f04f8c52369c97e674d1a0048bb3545490074419f8b3a63f2cefa2973f572ef8
                                                                                                                                                                                                                                          • Instruction ID: 075875c55e3a9c59796d024c707f50f98ea1a878e75255b6ad811423f4d5ea82
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f04f8c52369c97e674d1a0048bb3545490074419f8b3a63f2cefa2973f572ef8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DB51C071B002088FCB15DF79D8446AEBBFAEBC9350B54852AE815DB364EF71AD02C790
                                                                                                                                                                                                                                          Function 0475A228 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$(xq
                                                                                                                                                                                                                                          • API String ID: 0-1913156493
                                                                                                                                                                                                                                          • Opcode ID: a6c71adc78850c09938159e2a0b116180c7a6a12635fad5a3a650cbc4a56272d
                                                                                                                                                                                                                                          • Instruction ID: 4f753a6595e2abce5c8303de847a68e92dd59c84565682be71462d481b76ce9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6c71adc78850c09938159e2a0b116180c7a6a12635fad5a3a650cbc4a56272d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9741E830B082549FDB15CF69C854B9EBFF2EF89710F1481A9D845AF391DA75AD02CB90
                                                                                                                                                                                                                                          Function 047530EC Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$LRtq
                                                                                                                                                                                                                                          • API String ID: 0-2987158615
                                                                                                                                                                                                                                          • Opcode ID: 1278ba5553fc7ee976f918ea5907750595459609ea20b5f858d1d2c0110294a2
                                                                                                                                                                                                                                          • Instruction ID: ca0651b2715053c0166213ab3d7c1e7426cc7321032b902b3243096e52634dd6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1278ba5553fc7ee976f918ea5907750595459609ea20b5f858d1d2c0110294a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB41D170B082545FEB099A79985477E7BAAEB84744F048829EC06DB3B5EEB4BC018790
                                                                                                                                                                                                                                          Function 04756C20 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 5680b3edc7e1577cd61e3a1d7eb91abf3da55772637dc7dcf41073aafd7bcc3c
                                                                                                                                                                                                                                          • Instruction ID: 881a92cf08b7dc09ed95d14a233c067c12b08238651fc647a11ed7373708cc2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5680b3edc7e1577cd61e3a1d7eb91abf3da55772637dc7dcf41073aafd7bcc3c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 09C1A170B041158FCB18DFAAC44056EBBF6BF88710B648829E84A9F365EB71FD41CB91
                                                                                                                                                                                                                                          Function 0475E1F0 Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Ayq
                                                                                                                                                                                                                                          • API String ID: 0-3966057519
                                                                                                                                                                                                                                          • Opcode ID: f9cd045209ea9d11d0ab5a25441105dc7df48abfd827bc4798cc419c4ae3d496
                                                                                                                                                                                                                                          • Instruction ID: baaa0169e090ecc5e660da063b490053a766a99c22ab0f2246df121ce08ae8eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f9cd045209ea9d11d0ab5a25441105dc7df48abfd827bc4798cc419c4ae3d496
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6C17170B102198FDB14DFA5D494AAEBBB6EF88304F148429D806EB364EF74ED05CB91
                                                                                                                                                                                                                                          Function 06B89FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 06B89FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782136293.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6b80000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: c59869a34aeeb822c9bd300689f2249b7290147a0f9ef0f12d1a907cb0d69087
                                                                                                                                                                                                                                          • Instruction ID: aa7e3cfa634324bc094931586d1f010aae477082910c431835e5d7b32cfdec89
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c59869a34aeeb822c9bd300689f2249b7290147a0f9ef0f12d1a907cb0d69087
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 73115C76E012049FEF50EA78D4803ECB7B1EB88324F2485A6D91563290EB36A908CB50
                                                                                                                                                                                                                                          Function 06B89FD0 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          APIs
                                                                                                                                                                                                                                          • KiUserExceptionDispatcher.NTDLL ref: 06B89FF8
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782136293.0000000006B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B80000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_6b80000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID: 6842923-0
                                                                                                                                                                                                                                          • Opcode ID: d1434af754e641b279990b67ae62f6e01e521ac2494cb8e7e20311aff2ad4108
                                                                                                                                                                                                                                          • Instruction ID: c6d5f49bb666d10e34123727d121f09fa2f0827fe51e9272b5d27d86ba247359
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d1434af754e641b279990b67ae62f6e01e521ac2494cb8e7e20311aff2ad4108
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3F1156B2D01344AFEF20EE34C4903ED77B1EF89364F248596DC1167280EB36A90ACB50
                                                                                                                                                                                                                                          Function 0475BE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Q?n^
                                                                                                                                                                                                                                          • API String ID: 0-574994939
                                                                                                                                                                                                                                          • Opcode ID: fe01e38ee64d052d5d1fbd7cdf1b954c77f36765fd85686b4adf10ada73c001d
                                                                                                                                                                                                                                          • Instruction ID: a71021e3cd065515f0e72910f9dce2700b9cb12ea7e7651588116f0c75f3e03a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe01e38ee64d052d5d1fbd7cdf1b954c77f36765fd85686b4adf10ada73c001d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8B15A747006018FDB15DF39D584AAABBF2FF88204B048969E9468B365EB74FC46CB91
                                                                                                                                                                                                                                          Function 04751080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: d5f5cc28920aa102d1ced67bd62ab13f4a1eaf69f861eb2d6ec06a8958838fcc
                                                                                                                                                                                                                                          • Instruction ID: 4713c7d3e9c4e5ebaddc901335ca9e67312a4487d1dec10217d5b8dd10bc2a1e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d5f5cc28920aa102d1ced67bd62ab13f4a1eaf69f861eb2d6ec06a8958838fcc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 18718535B002149BDB14ABB6C8547AEB7A7EFC8311F558029E906AF364EE75FC428790
                                                                                                                                                                                                                                          Function 0475BE33 Relevance: 1.4, Strings: 1, Instructions: 191COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Q?n^
                                                                                                                                                                                                                                          • API String ID: 0-574994939
                                                                                                                                                                                                                                          • Opcode ID: 9e2e668a062355e57af7bcb7972e70278a18542b92157b78ababb90760b5b931
                                                                                                                                                                                                                                          • Instruction ID: cc6f103651ffb329a63c6f29f27bf6b285737a296e6c1f93531df72cff6eb689
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e2e668a062355e57af7bcb7972e70278a18542b92157b78ababb90760b5b931
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B9716D74B006019FDB15DF35D4845AABBF2FF88204B04CA69E8469B366EB74FC45CB91
                                                                                                                                                                                                                                          Function 04756048 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: a58c66bb50acc0ae6cfc23f58487b439e2ce408666ffd3edff2dd834c4b11017
                                                                                                                                                                                                                                          • Instruction ID: ea59ae14885f8a228e5c2b55d35f8d47a4591200bed585fed9fd17a2af313a7b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a58c66bb50acc0ae6cfc23f58487b439e2ce408666ffd3edff2dd834c4b11017
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7715070A102089FEB09EFF5C4606DEBFB2EF88304F104529D5567B3A5DE35AD458BA2
                                                                                                                                                                                                                                          Function 047568E0 Relevance: 1.4, Strings: 1, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 95a38069f99a4801a3d7fbd51329886f6511fd8a47966225c39908def3cd6990
                                                                                                                                                                                                                                          • Instruction ID: 80631aaa173d3e69500c3313e6ee47c600688c9b772b53f2a93079abbf7f7c1b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 95a38069f99a4801a3d7fbd51329886f6511fd8a47966225c39908def3cd6990
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD615F76B002059FCB11CF59C88099ABBF6FF8D31075481A9E919DB321DB31ED15DB90
                                                                                                                                                                                                                                          Function 04750C1C Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 1a17423514524a56fde29e810b28fae72346c61062c987f8e463064cfec66dd9
                                                                                                                                                                                                                                          • Instruction ID: 2d6f7289cff737971f993d2bd7d12b174aa0fe89e76ace5286b41a20a704a4ec
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1a17423514524a56fde29e810b28fae72346c61062c987f8e463064cfec66dd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D512330B04254AFDB049B68C8547BE7BB2EFC9311F148469D806EB391DEB87C068791
                                                                                                                                                                                                                                          Function 04750E8C Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 6911c3df0436a667f14ecd7a61a66ee84965764ffdaf84b28c8ea5b3c069bffd
                                                                                                                                                                                                                                          • Instruction ID: 573452fe8ae18681541d889e2fcf1c2620d254143d8bc748e92381af39a21d1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6911c3df0436a667f14ecd7a61a66ee84965764ffdaf84b28c8ea5b3c069bffd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3415B30B001141BEB18AA69D86477E679BDFC8311F44882DDC0AEF391DE75BC0287D0
                                                                                                                                                                                                                                          Function 0475BE30 Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Q?n^
                                                                                                                                                                                                                                          • API String ID: 0-574994939
                                                                                                                                                                                                                                          • Opcode ID: 55e963be811184b6e982dc02a4ed8a774e667ce4e35ef872599776c768a11184
                                                                                                                                                                                                                                          • Instruction ID: 2daeb9254e835fd814952fe8df1237c480527b05da139c340f391fb7d0a45aaf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55e963be811184b6e982dc02a4ed8a774e667ce4e35ef872599776c768a11184
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C9515CB4B006018FDB15DF39D4905ADBBB2FF88204B04CA69D9469F365EB74F845CB91
                                                                                                                                                                                                                                          Function 0475C4D8 Relevance: 1.4, Strings: 1, Instructions: 144COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 321c1e64988eeb5cd2ca193e91a2a05c0a72e175a012d82291ea64be09496af4
                                                                                                                                                                                                                                          • Instruction ID: 442602e8b4277a1dd361301714dbbd8f40e52dce47f49fc3a40e55f268ba44ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 321c1e64988eeb5cd2ca193e91a2a05c0a72e175a012d82291ea64be09496af4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B51C1303047418FC726DB35D454A6ABBF2EF85700718CA69D84A8F361DA74FC46C790
                                                                                                                                                                                                                                          Function 0475E428 Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (Ayq
                                                                                                                                                                                                                                          • API String ID: 0-3966057519
                                                                                                                                                                                                                                          • Opcode ID: ed0b6d41aca6ea5b887de4b9fbf22d31d1be3b66b07020f5b132dcdf17c7b848
                                                                                                                                                                                                                                          • Instruction ID: 2e5d3f174481f1c041d68a0989bed2eacb532d7a0f775ff9c7153c330bf4c3ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed0b6d41aca6ea5b887de4b9fbf22d31d1be3b66b07020f5b132dcdf17c7b848
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66419070B10215DFDB14DF75D854AAEB7B6FF88604B108429E812EB3A4EFB4AD01CB91
                                                                                                                                                                                                                                          Function 0475EA88 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 576601e05147cdb625b1523ee0fa0181a0d782d280bd0f9aa6215697680c46f2
                                                                                                                                                                                                                                          • Instruction ID: 7fa3997a277f867d29192f7932437c480c77b9074109b536511b382e4ac88030
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 576601e05147cdb625b1523ee0fa0181a0d782d280bd0f9aa6215697680c46f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C31F070B042058FDB089B7ED4519BEBBABEFC96507104439E906CB361EF70ED028BA1
                                                                                                                                                                                                                                          Function 047585B0 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 5d9b710a0e49a504814e4d444bb65973c8ddf4ed3bd96249ff604fbeac0dbf96
                                                                                                                                                                                                                                          • Instruction ID: fc42f58d42973a35cd69ce166a3bba518b8809fe95e03a6aed1446947dbdf07d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d9b710a0e49a504814e4d444bb65973c8ddf4ed3bd96249ff604fbeac0dbf96
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7418C74A006048FDB14EF59C484A6ABBF2FF89314B168969D85AEB361CB31FC51CF91
                                                                                                                                                                                                                                          Function 047557B8 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: ade7b28aa91cf113360d5d769f1c62998c1841746362066325cb68291f9f4974
                                                                                                                                                                                                                                          • Instruction ID: 98ac2ad10298e6458fdf2f5f02c9a1e84ccd727caa61fc311864113254f7c8f2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ade7b28aa91cf113360d5d769f1c62998c1841746362066325cb68291f9f4974
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4A31C36560E3C05FDB07973588646587FA19FC7214B8A44EBC4C4CF3A7EA58A80AC367
                                                                                                                                                                                                                                          Function 047545C8 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 6631476659a8473195b0c7a752b04cec2edfef7c1eebc99c3e93f52273a0b2d7
                                                                                                                                                                                                                                          • Instruction ID: aae7ea1753e45d49b6f8ad1b9597516dc3687423e3d65a6adc081a319d99d9b8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6631476659a8473195b0c7a752b04cec2edfef7c1eebc99c3e93f52273a0b2d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE310674B092449FCB14DB7DD444A9D7FF6EFC931470440AAE445CF362EA74AC428B91
                                                                                                                                                                                                                                          Function 04753719 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRtq
                                                                                                                                                                                                                                          • API String ID: 0-4092542751
                                                                                                                                                                                                                                          • Opcode ID: 5c39407373f550e5924ff9e606712e4f4609007aeda9f7bca9f16d382accb90f
                                                                                                                                                                                                                                          • Instruction ID: 8d4a8d77e99835bd1ab45d128dc885fe2c9c0e3c7ddcabfb81db1f6e011efd96
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5c39407373f550e5924ff9e606712e4f4609007aeda9f7bca9f16d382accb90f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6721E171B042556FDB089A259885B7F7BEAEB85285F004829EC06CB3B5EBB4BC018750
                                                                                                                                                                                                                                          Function 04755F38 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRtq
                                                                                                                                                                                                                                          • API String ID: 0-4092542751
                                                                                                                                                                                                                                          • Opcode ID: c123582b713885d33761a07c61eb5af08dbd9cf5adc6c8b8b55315d1b86318f2
                                                                                                                                                                                                                                          • Instruction ID: 5ceab9aa8eff2250e3e6ed88e48e6363949716030a5940e085d4e87a19dde581
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c123582b713885d33761a07c61eb5af08dbd9cf5adc6c8b8b55315d1b86318f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F218670B141049FDB149B69C455AADBBF6EF88610F54805DE806AB3A4DFB1AC018B90
                                                                                                                                                                                                                                          Function 0475AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \;tq
                                                                                                                                                                                                                                          • API String ID: 0-3840972847
                                                                                                                                                                                                                                          • Opcode ID: 98cc8bdd799bb4af5dbb93deb68297cc850f99877f8ec2ac6fdfd9ce81395003
                                                                                                                                                                                                                                          • Instruction ID: e47752f4f8ed5d63ecaf8ad1afe83e40d1295a878876f846b29041846b5c2971
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98cc8bdd799bb4af5dbb93deb68297cc850f99877f8ec2ac6fdfd9ce81395003
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7F1182723042018FAB249AAEA49499BF7DBEFC8264314C13BF90DCB754DEA1FC014790
                                                                                                                                                                                                                                          Function 04755F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRtq
                                                                                                                                                                                                                                          • API String ID: 0-4092542751
                                                                                                                                                                                                                                          • Opcode ID: 658ddab3a4fdb07294de55b0e1db9a7551d5b6a5b704f6c012750be386f441bc
                                                                                                                                                                                                                                          • Instruction ID: bcf278341f4411b87504e1cc867c9aa007d0872a723bd71ff7d886a3d889116e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 658ddab3a4fdb07294de55b0e1db9a7551d5b6a5b704f6c012750be386f441bc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C7218134B141149FDB089F69C455AAEBBF6EF8C610F54841DE906AB3A4DFB1AC01CF94
                                                                                                                                                                                                                                          Function 04755F47 Relevance: 1.3, Strings: 1, Instructions: 66COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: LRtq
                                                                                                                                                                                                                                          • API String ID: 0-4092542751
                                                                                                                                                                                                                                          • Opcode ID: e48f514fd4cce7dbdcbc222fe5ef933f052c3550bed85cec381b3205ba6ad2d7
                                                                                                                                                                                                                                          • Instruction ID: a026068b26760e5ffb7f6585d3f4090d4c57ce56b66a91feb72efa075434c46e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e48f514fd4cce7dbdcbc222fe5ef933f052c3550bed85cec381b3205ba6ad2d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1A219334B141149FDB089F69C455AAEBBF6EF8C610F54841DE806EB3A4DFB16C018F90
                                                                                                                                                                                                                                          Function 04753370 Relevance: 1.3, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fyq
                                                                                                                                                                                                                                          • API String ID: 0-349389989
                                                                                                                                                                                                                                          • Opcode ID: 151273fe08a45d4b96bdc49130f8cacb50129f03a531bc3a6948aa1e4106402b
                                                                                                                                                                                                                                          • Instruction ID: c3f4b7b9dd57724db8c3d38b0ef2df940be88947819f2706afa4ac3f74119b25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 151273fe08a45d4b96bdc49130f8cacb50129f03a531bc3a6948aa1e4106402b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B011B635B051056FDB049FA5E8459BFBBBAFB88700B008029FD06C7354DF34AD069794
                                                                                                                                                                                                                                          Function 0475C463 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: Xxq
                                                                                                                                                                                                                                          • API String ID: 0-3018390252
                                                                                                                                                                                                                                          • Opcode ID: 6471b46784a03d1bce4216441e6c342ec0ec3e976314db7c126046e92ec29171
                                                                                                                                                                                                                                          • Instruction ID: 7b34e4a2464814779424ab2b32e5bfd47760403db83bff45b6e28538dce04abd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6471b46784a03d1bce4216441e6c342ec0ec3e976314db7c126046e92ec29171
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B1188303083400FD7179A79944067E7BE2CFC530071045AAD846DF776EE60EC0293D2
                                                                                                                                                                                                                                          Function 04753380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: fyq
                                                                                                                                                                                                                                          • API String ID: 0-349389989
                                                                                                                                                                                                                                          • Opcode ID: 8444fc1eb48721f39685101f51f5ef90b827f2ba510b181f8de6a32baee3c3ad
                                                                                                                                                                                                                                          • Instruction ID: fa0d0d3904855580ed76a0fad66a154adcddab4b62588bf39bf7e383da2ae596
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8444fc1eb48721f39685101f51f5ef90b827f2ba510b181f8de6a32baee3c3ad
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06118275B041055FCB04AFA5E845ABFBBBAFB88600B008029FD0AD7344EE349D068BD0
                                                                                                                                                                                                                                          Function 047599A8 Relevance: .3, Instructions: 299COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 45c9e014d9d01f334aa1ab2cbbe0b1c364d81803235e3e1ea059ad39ea8eeb8e
                                                                                                                                                                                                                                          • Instruction ID: a1c7fabedc2a1e498c06d65b7cadc7e85dfbe8b9013f78fac5b81f4c5c57bb08
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 45c9e014d9d01f334aa1ab2cbbe0b1c364d81803235e3e1ea059ad39ea8eeb8e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 95D1F5B4A00359CFDB15CFA9C988A9DBBB2BF89300F148595D808AF365DB74AD45CB50
                                                                                                                                                                                                                                          Function 04756038 Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 81326a702029713dd436cc07963ce8e5fff21151f406351a185806bbd7f28b74
                                                                                                                                                                                                                                          • Instruction ID: b0c134457f9f514be1b2fbbd4fc57643d3f5f7cd705f49cb7a6c08a2ebe396e9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 81326a702029713dd436cc07963ce8e5fff21151f406351a185806bbd7f28b74
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8C717070A102089FEB09EBF5C8606DEBFB2EF89304F10452AD5567B3A1DE356D458B62
                                                                                                                                                                                                                                          Function 0475ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 55c12c479acb9eb05dac924853983be280545c277e92d77c871ba8736e40902d
                                                                                                                                                                                                                                          • Instruction ID: ad8dd3dab4a54bf792c911bade256ce047a27b3f1290b0179d86cb9f774a668f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 55c12c479acb9eb05dac924853983be280545c277e92d77c871ba8736e40902d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 245125347105018FDB09AF2AD49892A77F6AFC971172982B9E806CF375EEB1EC05CB50
                                                                                                                                                                                                                                          Function 0475E7D8 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1b96785852eda917525b1fd06497180994125b8768687c190c5845f663546e1b
                                                                                                                                                                                                                                          • Instruction ID: fa74c34b62fccba059b16252783a1ef5fd59de3f2d23bf69eb897ddd05ce3f87
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1b96785852eda917525b1fd06497180994125b8768687c190c5845f663546e1b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3A616F70B002059BDB58DF7AD5546AEB7F6EF88701B248429D806EB364EFB4BD018B91
                                                                                                                                                                                                                                          Function 04756BF1 Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 726708b70e1ac133169d39eaddef808bc3278548166b9654fa4639f606558f3a
                                                                                                                                                                                                                                          • Instruction ID: 4138e348acba6dd05357bb5943d41030e952fdfa93b6be8584ab806c77f18f03
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 726708b70e1ac133169d39eaddef808bc3278548166b9654fa4639f606558f3a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23517D70B002068FCB05DB6AC84096EBBF2EF89310B558569E8499F366EB70FD45CB91
                                                                                                                                                                                                                                          Function 047560D9 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 76bb61167778b6d293295e4b8c909f3f356236b4a7d70118cd656aec91779d67
                                                                                                                                                                                                                                          • Instruction ID: 4d231e2d21f60bc00ab218ab724a23fb3ace0bb4c88fcf149de315092f0c7b75
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 76bb61167778b6d293295e4b8c909f3f356236b4a7d70118cd656aec91779d67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F510B74A102089BEB08EBF5C8606DEBF72EF88300F108129D6157B365DE35AD559BA2
                                                                                                                                                                                                                                          Function 0475C943 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5dd2aa8c5a78dfd84bbadb9f7657c88c26b0c06886a110e01c8cb2bff7fca179
                                                                                                                                                                                                                                          • Instruction ID: c73406f305b836def1ef426d73a6c491da1e975b2495e597de8a96d9a51abc11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5dd2aa8c5a78dfd84bbadb9f7657c88c26b0c06886a110e01c8cb2bff7fca179
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3411A8680E3E11FE7139B3919B51D67F70AD6325830A01C7C1D1CF2B3E9546A0BD7A6
                                                                                                                                                                                                                                          Function 047534A8 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b08108503f6f53ece42e62494614edcec482bba5868b880abc99e30c4d8e330d
                                                                                                                                                                                                                                          • Instruction ID: 7494dc433edb95cfafb6fe10cb58126436f32643f6d58b43f63b79ac0b4d9da5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b08108503f6f53ece42e62494614edcec482bba5868b880abc99e30c4d8e330d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE51BD743151065BCB05EB7AE89056EBBA3EFC86047048A29EC069F365EF70FD4A87D1
                                                                                                                                                                                                                                          Function 04755483 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 88bc38c8484fc86efcaffe08237cafe83d8642c65729b416f7a792620ec54b10
                                                                                                                                                                                                                                          • Instruction ID: e1df8e71f3be7b252beb900ad0a6df2809d6b67d3c396214a5fbf9982327b3b0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88bc38c8484fc86efcaffe08237cafe83d8642c65729b416f7a792620ec54b10
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97512A74A11209AFEB04EFA6D8546EEBB72FF88304F508429E9067B395CF356D41CB61
                                                                                                                                                                                                                                          Function 0475B4F7 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c5d9c339a0fb3de3077a69cf0b1c9f07970169e5dff5b3e1eb23bf3de9693e34
                                                                                                                                                                                                                                          • Instruction ID: 59fa8424a4bc89bcb5d62a6eb2972f533c3b707963021d66f0784f0ec91f57e6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5d9c339a0fb3de3077a69cf0b1c9f07970169e5dff5b3e1eb23bf3de9693e34
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7541ADB1A0E3D19FDB039B399C605E57F71DF87200B0940D3D880CF2A3E964A94AC7A2
                                                                                                                                                                                                                                          Function 047534B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: aa1dc112a35b4938e0a4323e830186f863fc6efc0ac3c94765f86d8be2abec46
                                                                                                                                                                                                                                          • Instruction ID: a7e0a6c92a651498799fe9c40af940e10d6a96d5814913537769a8cc38b43f20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa1dc112a35b4938e0a4323e830186f863fc6efc0ac3c94765f86d8be2abec46
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F519FB43151065BCB04EB7AE99056EBBA3EFC86047048E29EC069B355EF70FD4A87D1
                                                                                                                                                                                                                                          Function 04755490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9a9c46f625e3bc6879f8f60c059f21b8707b7f811c0a21c74ad1fa6b46f92ec3
                                                                                                                                                                                                                                          • Instruction ID: e6085980bcab6b0ac0de6c2bee4f3f9c7c437193bce281bd642fba1b54b4b8ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9a9c46f625e3bc6879f8f60c059f21b8707b7f811c0a21c74ad1fa6b46f92ec3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6551FA74A11209AFEB04EFA6D8546EEBB72FF88304F508429E91677394CF356D41CB61
                                                                                                                                                                                                                                          Function 0475E7C7 Relevance: .1, Instructions: 120COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9604e3f8b20d3d2eabed340931dddec154b96a732f72674635535bfcd61a4197
                                                                                                                                                                                                                                          • Instruction ID: be0e5ed09129d1601c6f9a1ce2ab12686127e482c7c50f51fe0e4ffb7887f836
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9604e3f8b20d3d2eabed340931dddec154b96a732f72674635535bfcd61a4197
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5841B171B001059FCB199F7AD4546AEBBF6FF8C600B248429D806EB354EFB4BD058BA1
                                                                                                                                                                                                                                          Function 0475F681 Relevance: .1, Instructions: 116COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2d5f37b7ac4d00e5c1f66cea6f9d2dd473c9c0a21816763eaaa7fc52a08622d7
                                                                                                                                                                                                                                          • Instruction ID: 3e791e3082b4a681e6272285cb296dced5e520f204d58918b263b17575d8f575
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2d5f37b7ac4d00e5c1f66cea6f9d2dd473c9c0a21816763eaaa7fc52a08622d7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1841D4707042559FCB15DF3AC8589AEBFF6EF89204B04889EE586CB362DA74EC05CB51
                                                                                                                                                                                                                                          Function 0475E1E0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a4e4025625bdb75d65aee8e099101d075aa216884b69f9c4263ff032d3ad61a2
                                                                                                                                                                                                                                          • Instruction ID: 5bc66c2516bb1202ce0ddfb554f193c1ca1889c08cc16a931c0b85495a1d0a4a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a4e4025625bdb75d65aee8e099101d075aa216884b69f9c4263ff032d3ad61a2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38417975E006499FCB04CFA9C48099DBBB2FF89300F148029E805AB365DB70FE46CB80
                                                                                                                                                                                                                                          Function 04752268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32afb390cba146af091ba20cee6ccb6ffed911714d8a05d45002ef6e00f69271
                                                                                                                                                                                                                                          • Instruction ID: d24eadff94ada92cb3352c62e01313eb74565c24378c3cacb0f45c5dcfb6feee
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32afb390cba146af091ba20cee6ccb6ffed911714d8a05d45002ef6e00f69271
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40412975B001149FCB44DF68D88099EBBB2FF89310B148169E905EB331DB31ED41CB90
                                                                                                                                                                                                                                          Function 0475F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fbb4d22c8ec6f4ac5e533c055a4a78a597292740b16113bad2c653bc11414e28
                                                                                                                                                                                                                                          • Instruction ID: bd93d3cb6429cf624d4707623c4ba0f7ea3412f7cfe82c859fc8d3691a045732
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fbb4d22c8ec6f4ac5e533c055a4a78a597292740b16113bad2c653bc11414e28
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD41BF707042559FCB15DF7AC888AAEBBFAEF89304B04886DE546CB361DA74EC05CB51
                                                                                                                                                                                                                                          Function 0475B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8467bedefba2fef1accf539c26a60f31ae13aa25041dc660b27505d7a6fb6242
                                                                                                                                                                                                                                          • Instruction ID: 7a902f77c2625463464c82c40d0408369a45acc5c7fe066d0cce709e8685fa96
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8467bedefba2fef1accf539c26a60f31ae13aa25041dc660b27505d7a6fb6242
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2E318F35B001058FDB10DEA9D880AAEF7AAEF84214B18C16AE91DCB765DB71FC118B90
                                                                                                                                                                                                                                          Function 0475AA43 Relevance: .1, Instructions: 102COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 667f74f91fd8ffeb790dfe681cf3a78f9481a25c7a58c4485adec13f6dfc00dc
                                                                                                                                                                                                                                          • Instruction ID: 418d87d29f9e8757323235a4ba6b89cb249d3fd68839811588a4c2bde4422f23
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 667f74f91fd8ffeb790dfe681cf3a78f9481a25c7a58c4485adec13f6dfc00dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 413193B4D093889FDB02DF78C4645AD7FB1AF8A314F0505EAC481EF3A2E6346944CB96
                                                                                                                                                                                                                                          Function 0475310C Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3479f692385d25b43f671c7df4c4b0f19b88445668058e370f63892e806a74d2
                                                                                                                                                                                                                                          • Instruction ID: a25c420fc9c5598761336737d615d30272e98cfa28380eba3decb579bf3a0297
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3479f692385d25b43f671c7df4c4b0f19b88445668058e370f63892e806a74d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE219E7164A3583FD702257568193FA7F58DF413A8F008066FE488E372EAA5A84293D1
                                                                                                                                                                                                                                          Function 0475C558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b8af1fd85b624d23e3ccd733009b1fd47403c2456c6e0a9ce96260000a4933d
                                                                                                                                                                                                                                          • Instruction ID: a15f693429af0cca89e2f7eb4123d0ed4a5838f20ed6124fd33618cbbd24242b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b8af1fd85b624d23e3ccd733009b1fd47403c2456c6e0a9ce96260000a4933d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FE31AE742007418FC326DF25D598A26BBF2EF897017148A68D8468F362DA70FC46CB90
                                                                                                                                                                                                                                          Function 04755753 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 04feb3778432c4e715cbfe28da121c0d9ae5fd96d8696eb16253d66f6a66183f
                                                                                                                                                                                                                                          • Instruction ID: f5875c7242c07c874bd810a358e20149c7d435c3bc913c7088e51ff930ba8dd8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 04feb3778432c4e715cbfe28da121c0d9ae5fd96d8696eb16253d66f6a66183f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 25117BA660D3C05FE703973968A41D83FE5CFD2214B0944DBC4898F6A7F6582D4BC39A
                                                                                                                                                                                                                                          Function 0475B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01832d196f4fe1042142081f1082073b5f0fd6d0522ba92787f8b6b1e3cd0b3b
                                                                                                                                                                                                                                          • Instruction ID: 0563b1dd72c7ce8015d9188c19ae0cb66e3cbdcc5337e85a7cfb191f85e27516
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01832d196f4fe1042142081f1082073b5f0fd6d0522ba92787f8b6b1e3cd0b3b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C21AF34B00208CFDB149E75E8456BAB7A6EB84311F00C475ED058B360EF70F942CB91
                                                                                                                                                                                                                                          Function 04753A29 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 21b4e520d0c3ccfca7d8686fd1d379213aae22cd1c53cee1163dbd36c29037ee
                                                                                                                                                                                                                                          • Instruction ID: 7395b3193689584e1198c92a9188e6194c19023a97727f8b44763ca903234af3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 21b4e520d0c3ccfca7d8686fd1d379213aae22cd1c53cee1163dbd36c29037ee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1219234B00114AFDB14DF65D895AAA7BB2EF88354F148029EC05EB3A0DEB5BC47D790
                                                                                                                                                                                                                                          Function 0475B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eeddb8f4b935e1e46eadad1b5e07679068db7d58e82ad878f196909abc549518
                                                                                                                                                                                                                                          • Instruction ID: adcc6e902c4de611781ed715c44789b81fb3e78bf0b7e5a6bd2f90e5f6aed4dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eeddb8f4b935e1e46eadad1b5e07679068db7d58e82ad878f196909abc549518
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A1130757042418FEB54DA6ED490A7AB7DAEFC8260714C03AAD49CB755EFB1FC018790
                                                                                                                                                                                                                                          Function 047530FC Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 30abfcf5d3e84b1a0591dcc8237083d21835ebd3afb609dc6b8aab73faf4c94a
                                                                                                                                                                                                                                          • Instruction ID: c5001ea75ca6c2a9ff0bfacdcfefbf52e7d571709e360677eb3e2a61cc6a7c48
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 30abfcf5d3e84b1a0591dcc8237083d21835ebd3afb609dc6b8aab73faf4c94a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 92112960B093A81BFB152675181437E2F9D8B82798F1444AACD42DFBB2EED4FC0543E1
                                                                                                                                                                                                                                          Function 047528F8 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 455a9ebbae58f1135ccd11056ed7eb3bda7589fe7bd18b2fa6462553292ce76d
                                                                                                                                                                                                                                          • Instruction ID: 302706898dbc7bb1c59961e266580e73181f1c2f373bca91a96c3b0301ad0150
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 455a9ebbae58f1135ccd11056ed7eb3bda7589fe7bd18b2fa6462553292ce76d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0811499280E3E15FDB03AB38A9A51D93FB09F1311470A05D7C580DF2B3E9255A4AC7A6
                                                                                                                                                                                                                                          Function 04752258 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 37592da57e1190f45b94fed339152dd43c1677c091b15effd6eb2e24dd25b4f2
                                                                                                                                                                                                                                          • Instruction ID: 219bcba81175504656b82dfee34f49dfa94d99a2b29b98f12ae37cba9e724b1c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 37592da57e1190f45b94fed339152dd43c1677c091b15effd6eb2e24dd25b4f2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4212975A102189FCB54DF69D88499EBBB5FF8D710F10856AE905EB320DB71A842CF90
                                                                                                                                                                                                                                          Function 0475AE9F Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f4092777291f946b0c003b5e36de828fa561afafd613d9af0fc1da604d260eb
                                                                                                                                                                                                                                          • Instruction ID: a07fdf32e7a2e7e35de38a3f506575da76dfdd8f5513fd73e57ca8a8b21ea62d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f4092777291f946b0c003b5e36de828fa561afafd613d9af0fc1da604d260eb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2511E5713082A54F9B1A56BE641449EBBDADFC616430881BBE90DCB362EE54EC0183E1
                                                                                                                                                                                                                                          Function 0475A219 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78fa14eded27ad44bcb79cee3665f8c39c528cbac80d398bef1d607ccb67305a
                                                                                                                                                                                                                                          • Instruction ID: 049d34b43e78889e3adcbea6cd3b15ddc7dc37924e966bebd9b6162f93f4ff3b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78fa14eded27ad44bcb79cee3665f8c39c528cbac80d398bef1d607ccb67305a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C118E34B002099BCB14CF56D585BDEBBF1EF8C310F208125E905AB360CAB2AD45CBA0
                                                                                                                                                                                                                                          Function 04753A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d1ae700e015c201c7f612b64ec81f4fe4e5ceea937f7e4a85ef72a7296dd4a7
                                                                                                                                                                                                                                          • Instruction ID: 1531749428bed40c85d99029d489a0de77ab1b4af769fdf2cff9655f9fb4709c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d1ae700e015c201c7f612b64ec81f4fe4e5ceea937f7e4a85ef72a7296dd4a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5F114534B00114AFDB04DF59D855AAE7BB6EF8C315F149425D805EB3A0DEB5BC46CB90
                                                                                                                                                                                                                                          Function 04751958 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8f1548b9c0c713036d89b8c17cdb375f48d9f0982f04a70b04fffa51b1aa1c2a
                                                                                                                                                                                                                                          • Instruction ID: 654d8d8cc5a62fb794dff6c1d46a58dfd4330dd95af947cc769208780a6d187c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f1548b9c0c713036d89b8c17cdb375f48d9f0982f04a70b04fffa51b1aa1c2a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72113031A00224AFCB04DFA8D855AAABBB6FF8C311F159419D80AE7350DB75BC46CB91
                                                                                                                                                                                                                                          Function 0475AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 17ffb893ac2bca888af59f3845ef60fe8ac478db8bef4d59587ddce28e4af995
                                                                                                                                                                                                                                          • Instruction ID: b9d8e71d4b36fdf801bd2ffae2a884b608a00c9beeaf495d782a4bdb807c24c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17ffb893ac2bca888af59f3845ef60fe8ac478db8bef4d59587ddce28e4af995
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A921BA74E0020DEFDB04EFA9D4909AEBBF2EF89314F5045A9D945AB354DB70AA40CB91
                                                                                                                                                                                                                                          Function 04751378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4d8e2095c3bd91a12339590041a01165efcd3900e29a53424e0d8684d781e96f
                                                                                                                                                                                                                                          • Instruction ID: 18da6a89c8d326b069a26b5639ca08e875bb76308403c836386d55c90d0c7162
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4d8e2095c3bd91a12339590041a01165efcd3900e29a53424e0d8684d781e96f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 252115B4D042498FDB10DFAAC481ADEFBF4FF88324F148529D869A7250C7756905CFA1
                                                                                                                                                                                                                                          Function 0475A369 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ec3507198b1cc3e5d90e24a337e0268e128edeb401726b9e6fa73577308a8be7
                                                                                                                                                                                                                                          • Instruction ID: cc2d448a6b7ebe7ada63b2469217fc8e6363c0cb434ab954dec509484c5bb33a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ec3507198b1cc3e5d90e24a337e0268e128edeb401726b9e6fa73577308a8be7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB01452170D2A45FD71A1B79881802D7F629F4621831882EEC8899F7B7EA56AC03D3A1
                                                                                                                                                                                                                                          Function 04751380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6f5260d777f517320ecbdad76f19e8453c211f8e5e0fde573afd9bdb8d531354
                                                                                                                                                                                                                                          • Instruction ID: 93f475541ecabb4c3d49d3c67223b0ec19d1f9d4edac8099e621e91d456cb23b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6f5260d777f517320ecbdad76f19e8453c211f8e5e0fde573afd9bdb8d531354
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B11106B4D002498FDB10DFAAC481AEEFBF4FF88324F548529D819A7250C7756905CFA1
                                                                                                                                                                                                                                          Function 04752998 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 85a5f6095f6343f19f8e616acdcf954459e1d35beb4644116afd0b3eeaf3db80
                                                                                                                                                                                                                                          • Instruction ID: 45208c3fba0342aa4b44830ded7f9059900e2b47a68389fe03be366c7e41f534
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85a5f6095f6343f19f8e616acdcf954459e1d35beb4644116afd0b3eeaf3db80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E501E1B190E3804FD706CB74A8567D53FB0EF46204B1549DBE841AF273EA606D0687C2
                                                                                                                                                                                                                                          Function 04751968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a277242810419b932e51a94d6c92ea3aa6aa030ee31a7fc73c1822f238cf15b6
                                                                                                                                                                                                                                          • Instruction ID: 6b86561290a5e434ba3fa349786a24ac8d5a7ac769d7c45169ae782032ae90cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a277242810419b932e51a94d6c92ea3aa6aa030ee31a7fc73c1822f238cf15b6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 21111C31A00224AFC704DF58D855AA97BB6FF8C311F149419E80AE7350EF797C45CB90
                                                                                                                                                                                                                                          Function 04751440 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e4378c268006cb54ac87312cf1e897eafc37658888fb72e00c7b0c50d7cc756
                                                                                                                                                                                                                                          • Instruction ID: c1ba13024c89a185c76b069ed65dac1ecddb8c55490f99ee276c26939ff8eb11
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e4378c268006cb54ac87312cf1e897eafc37658888fb72e00c7b0c50d7cc756
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E01D870B093451FCB095F79A8356367FAAEEC61017051CAEDD4ACF261FD14A809C7D1
                                                                                                                                                                                                                                          Function 0475B920 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b8dcd4e9fa5809f5b29bde2d723c8391ed650675b19d10c5d2c5fb283e54510
                                                                                                                                                                                                                                          • Instruction ID: 13958a4e528074518e66e1c00087ffa82c5e0452eed867f5695e6f77351d248b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b8dcd4e9fa5809f5b29bde2d723c8391ed650675b19d10c5d2c5fb283e54510
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7901A7B17053408FE714C62D9890A7BBBD9DF993207544079AD49CB762EB71FC05C760
                                                                                                                                                                                                                                          Function 0475B070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 75a85bf0c960feb4d6be00f8a49a5efc6bb726729edff084fa68c37b593f9a5a
                                                                                                                                                                                                                                          • Instruction ID: 14ad38826d8376c5280bf80dcdf43760704f0cec4ac409ed4489b37142285d9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75a85bf0c960feb4d6be00f8a49a5efc6bb726729edff084fa68c37b593f9a5a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E50149747042058FCB14CA6A884057EFBAAEFC5300704C579E91CCB321DAB1FC05C7A0
                                                                                                                                                                                                                                          Function 047567E3 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01d20b6b2b9fabf371b87ca1771ce7e1b6d0dd7ce7f37447c5842098baadce60
                                                                                                                                                                                                                                          • Instruction ID: 1a3e4c4579f8c7fa732f93713abd51eeb07bb2be6cd3a7a3d0119ca7a9c8d4c1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01d20b6b2b9fabf371b87ca1771ce7e1b6d0dd7ce7f37447c5842098baadce60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B01A5B0D00209AFDF04EFB9D4405DDBFB5EF45204B5085A9D504AB356EA30BA069B90
                                                                                                                                                                                                                                          Function 047556C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f74aad5aef75aa163b049793d127196d5f47b2a2f95d59ce32fac2a426ecb76f
                                                                                                                                                                                                                                          • Instruction ID: 50a77838c25bcbcb103cae7795abc3382359af753f7288b6f944fc1c23a27653
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f74aad5aef75aa163b049793d127196d5f47b2a2f95d59ce32fac2a426ecb76f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2A0126B02046407FE7149BBA98405AE7FA6EF85718744492DE54A9F345EFA0BC0A87E1
                                                                                                                                                                                                                                          Function 04751829 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a3af5d8a065ac67487f2d149e5c3406ddf8d62caa515085ab413dfb5bfa3d246
                                                                                                                                                                                                                                          • Instruction ID: dfa92af24cc86e61acce82d647f83c2a34471f9a1d0b0ce5f0fbf59da4559b63
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a3af5d8a065ac67487f2d149e5c3406ddf8d62caa515085ab413dfb5bfa3d246
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FD018431E0025887E718AA7894557AFBBF6EBC8715F24442DD902FB390CEB16D018BD1
                                                                                                                                                                                                                                          Function 0475CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ba77df81d5c43471a83f373e5c4618c9a943dd643c4cae6075d240b0bec0ad8
                                                                                                                                                                                                                                          • Instruction ID: 29cc5396decfcbc9fb9319a26bcd5bd54703d1c6baf924c11fd7bc4f4c63c0dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ba77df81d5c43471a83f373e5c4618c9a943dd643c4cae6075d240b0bec0ad8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0F090363082144FA7058B6DAC84A6FB7EAFBC4A6A314013AE909CB360DFB1DC01C790
                                                                                                                                                                                                                                          Function 044BD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1782826840.00000000044BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_44bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 50cd017e78d06cff5cb35d1735d11fdaf02fde631ef03cb346459d6a6d4fb177
                                                                                                                                                                                                                                          • Instruction ID: 1a22be934e519432275fa584d037b061b01c55582f2582abf9bc919e7e319d0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 50cd017e78d06cff5cb35d1735d11fdaf02fde631ef03cb346459d6a6d4fb177
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B901526140E7C09FD7128B259894B52BFB4DF43224F1981DBDD888F2A7C2695849C7B2
                                                                                                                                                                                                                                          Function 044BD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000002.1782826840.00000000044BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 044BD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_2_44bd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b35ca531ea4b60f3ce404992d6a9a03eea2b4580adb33e47684c72e0e68606d6
                                                                                                                                                                                                                                          • Instruction ID: 3127cbeff51fe51a8b0300874f148c106d6f0e98ae4a1796d40591c057d1cd44
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b35ca531ea4b60f3ce404992d6a9a03eea2b4580adb33e47684c72e0e68606d6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AE0120B19057409ADB208E25DC84BA7FF98DF41328F08C55BED890F242D379A842C6F1
                                                                                                                                                                                                                                          Function 04754F3E Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 62f3448d6b810548bcb8cd86b8740f487e78fd1682c2b7a0547081943674e0c0
                                                                                                                                                                                                                                          • Instruction ID: 5598996542c82224ffdf8eb529a8c4f0e6759518c3ea9de49b734a8fe61f9835
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62f3448d6b810548bcb8cd86b8740f487e78fd1682c2b7a0547081943674e0c0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 27011271700105CFCB05DF79D88099ABBA1EF883187148AA9E4198F316EB31ED56CBD1
                                                                                                                                                                                                                                          Function 0475EA75 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 613836dd6b54c0d86754e6093299dd92183221aec3f976df6c992c3ba6c07256
                                                                                                                                                                                                                                          • Instruction ID: 20f537aefe16b386b6a0975f9374e71daf9f204dd5a0a19275991653e2270e7c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 613836dd6b54c0d86754e6093299dd92183221aec3f976df6c992c3ba6c07256
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16F096393096411FE715567D58504AABBBAABCA52435900A6E405CB363CE95AC064762
                                                                                                                                                                                                                                          Function 0475CB7F Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c47981b973fb5a9c21a02e0ead147183d2dd83901149d5184fefb33a8943546d
                                                                                                                                                                                                                                          • Instruction ID: 19180445f65e65a673082868746e9a1ca1346e38f3c84c8565de07c6219cfdfc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c47981b973fb5a9c21a02e0ead147183d2dd83901149d5184fefb33a8943546d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 85F0F0313093400FD7028B2AA854B6BBBE9EF8566530401AEE948CF371DAB1EC05C790
                                                                                                                                                                                                                                          Function 04756769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cbbfa6841ec8bbce4766bb3744283a2d1f2b3842bf37a6746ccead00b552fd6e
                                                                                                                                                                                                                                          • Instruction ID: ca3945d4a029f3fb5bc0d252a40f9f3ae76858150c4a4cdf5dc33cd43fbc5137
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cbbfa6841ec8bbce4766bb3744283a2d1f2b3842bf37a6746ccead00b552fd6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9D01A275B01501DBEB10CB68D68065DF3AAFB88325B90CA39C81A9F354D731EC45CB90
                                                                                                                                                                                                                                          Function 0475E3EB Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4474ecf06b0a87c92a1605a084dc77fe63f8e654978a3d52031c162a2a5dd227
                                                                                                                                                                                                                                          • Instruction ID: fe9c6a1f7a7de31325e6a98035a61a7adf159ea87736278b9b73de793eb1b31d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4474ecf06b0a87c92a1605a084dc77fe63f8e654978a3d52031c162a2a5dd227
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F40126717002014BE7008B6A88013BD7763EBC8B10F10882EDE01AF344EFB0BE058BD0
                                                                                                                                                                                                                                          Function 0475E36A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0fd343010becaa8a24a374def9e7444f49ce860cc3d97b43699f978c009b3cb3
                                                                                                                                                                                                                                          • Instruction ID: 3373d81da377eec8d7dc24fddda510fa41f447bcfcafb58c571ba05c1388ed78
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0fd343010becaa8a24a374def9e7444f49ce860cc3d97b43699f978c009b3cb3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5F0F432B002114BEB159A6988013BD7367EBC8A50F54882EDE45AF344EFB0FD0687D0
                                                                                                                                                                                                                                          Function 0475AF00 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b210fbb77208f09e1ad13340fb85d9a1d4a7d13cc564233062da55758a70dd52
                                                                                                                                                                                                                                          • Instruction ID: 5664599728b5db48a7d2f2aaeac94a37a69ba82193714db468bddec882e0b92d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b210fbb77208f09e1ad13340fb85d9a1d4a7d13cc564233062da55758a70dd52
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10F02EF27042405FC7144A5E6880497BFDAEFCE260314817AF80CCB351ED60EC0647E0
                                                                                                                                                                                                                                          Function 04756880 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bf06325d2be1bbb8346f6a9c2f5dfc4845339b87366c8fd6ebeb2ae75f81ef4f
                                                                                                                                                                                                                                          • Instruction ID: 23f906dce11a159579a31432c4fcd0a43b65eea00ce0fb0f6bffce88bb1d7b10
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf06325d2be1bbb8346f6a9c2f5dfc4845339b87366c8fd6ebeb2ae75f81ef4f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 49F0967110A3816FC7164A359C56482BFB4DA8B32038A86E7D848CF2B3D664BC47E3A1
                                                                                                                                                                                                                                          Function 047556D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c61b9b81fe5b7a9e4be9f567536db535c95b09d3822e5eb5cacedba5f6c8fdb
                                                                                                                                                                                                                                          • Instruction ID: 0de35fd6abe4d3ab564eb52adbbf52308de07251b97785ccd05dd2b343740a34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c61b9b81fe5b7a9e4be9f567536db535c95b09d3822e5eb5cacedba5f6c8fdb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2AF0C2703106057BE714ABBAD4405AEBBA6EFC4718780892DE14A9F345DFB1BC098BE1
                                                                                                                                                                                                                                          Function 047568D1 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6147e9e79f1325762229bd7b4023ea30239b7a407c78020c600eb840c4a8c99
                                                                                                                                                                                                                                          • Instruction ID: 77fbbb8520c1b0d54e21faaccd7f7ebeaf6c6bf1f506a505f1cbe0ed2e437e80
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6147e9e79f1325762229bd7b4023ea30239b7a407c78020c600eb840c4a8c99
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9CF09676604255AFC702CB59D840C89BFF5EF9935034980AAE94CCF362E771E914CBA0
                                                                                                                                                                                                                                          Function 0475C4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ed624a1201b102a50b8d5b72cd327b5a3bb89753dc01a09b17df77ffcad2807
                                                                                                                                                                                                                                          • Instruction ID: dc71d5f7b389d0d3293e7a0ef3da81043af2addca43bad5728ceeeb8b02b039b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ed624a1201b102a50b8d5b72cd327b5a3bb89753dc01a09b17df77ffcad2807
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 17F02E312083411FD7276A765400BBA7F558BC2750B5445A7DC459F769F9E1FC04C3D1
                                                                                                                                                                                                                                          Function 04754553 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ee1b0cb56b18c9f05877c76cb91bb50fceeaf05f5897e75a1d0f294e967a02f
                                                                                                                                                                                                                                          • Instruction ID: 0cc4cad1d2a30d8af1bb37792529d98f85c33cb0aa1511c286ed1d9e018ceabb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ee1b0cb56b18c9f05877c76cb91bb50fceeaf05f5897e75a1d0f294e967a02f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 38F05931308B502BD302A72AA40054E7FA5DFC6264300447EE44D9F356EE50FD4683A6
                                                                                                                                                                                                                                          Function 047567F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 244fda45191095f46a452b31d63f5056a5502319717b49dec0d9b97429987085
                                                                                                                                                                                                                                          • Instruction ID: 1a3e79b0ece405d42b58a46bb98aab6531dbd414fe42c125cf27bfdb517d3f52
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 244fda45191095f46a452b31d63f5056a5502319717b49dec0d9b97429987085
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A1014BB0E01209EFEF44EFBAD44059DBBB5EF88204B4085A9D905AB355EA30BE059B90
                                                                                                                                                                                                                                          Function 047557A8 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed2bc54ac5f1704490e5e5f017dcac94549c193231c9e4ba865515060e6ff184
                                                                                                                                                                                                                                          • Instruction ID: f5b9b578d17a5f9b9591d6607a9981a942e90b2191c813fbe4e51564b5377122
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed2bc54ac5f1704490e5e5f017dcac94549c193231c9e4ba865515060e6ff184
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CBF0B4303043055FDB159A3AD85095A3BE9DFCA21430448AAE445CF376FA61FC1183A5
                                                                                                                                                                                                                                          Function 04751431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 85366a642096987ace62ac0cf72a205bff08f57faeb266df3ffd742fbbc98632
                                                                                                                                                                                                                                          • Instruction ID: 4c39c06e78f218a6e2feb76d84d55ed2af4ded536b36d7eb6b61e3ef6a5e645e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 85366a642096987ace62ac0cf72a205bff08f57faeb266df3ffd742fbbc98632
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C8F096B0B092451ECB085F79A86663A7F9BEEC52117442C6ED94ACF261FD24A805C7D1
                                                                                                                                                                                                                                          Function 047545B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c9d0e685a96b1fbe3f4c8ded86cdca6ed9578e278d6730738e6b78236cb34b93
                                                                                                                                                                                                                                          • Instruction ID: fa6812b27277a6983f7c71179d02615c7b9dba2395ac906e1a89ec8e2226e789
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c9d0e685a96b1fbe3f4c8ded86cdca6ed9578e278d6730738e6b78236cb34b93
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5EF0E9753082418FD7159B7DE85066D3FF2DFCA2043084969E489CF371EA20FC428B61
                                                                                                                                                                                                                                          Function 047546C8 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1aab41b64c15d406d5d0cf9c728dbf0f887d8b4b2583924b96cf9874084504ab
                                                                                                                                                                                                                                          • Instruction ID: 5ecc6cfdb065dc6ebd541c1a54a620eb3b98b7e91a102c7305866a11964c66c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1aab41b64c15d406d5d0cf9c728dbf0f887d8b4b2583924b96cf9874084504ab
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66F0B4B4D0924CAFCB40DFB9C44569CBFF4EB45300F0044EAD814DB361E67456569F46
                                                                                                                                                                                                                                          Function 0475C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: debbb3084acdefaab1060311947f092c1b6b5a8f44a4dc1508c5cb594e8e5ffd
                                                                                                                                                                                                                                          • Instruction ID: e8e6624aa6c2a6a17392bfa98e56647291ac9e20655cfc239e1e4508a5839eb2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: debbb3084acdefaab1060311947f092c1b6b5a8f44a4dc1508c5cb594e8e5ffd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9FF030753103124FD719DA799854576B79AEF882A470495B5DD08CB320EEB1EC428790
                                                                                                                                                                                                                                          Function 047538B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 630bf6f9b67e23045fd5d2bd106c351b169f58da843a3a54e3f5f725c9bbe6f3
                                                                                                                                                                                                                                          • Instruction ID: cbe61ac5387b449ad0b58b1b232bfeca5bafb578eb19670bdb872e1f69427a82
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 630bf6f9b67e23045fd5d2bd106c351b169f58da843a3a54e3f5f725c9bbe6f3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F0E5607187580BFB2521B5191035A2FD94B427DCF11007BCC81CEBB2E6C4FC0593E1
                                                                                                                                                                                                                                          Function 047536A9 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ff6ce920ffd3f1a19c13ed1381eda150fd27f464e9d7eb817443fe3994bda7f
                                                                                                                                                                                                                                          • Instruction ID: 956d5adb96cf5b519f8bbd8d00a2e06a07357c4dc886d159b92f1e0c4f7e2c07
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ff6ce920ffd3f1a19c13ed1381eda150fd27f464e9d7eb817443fe3994bda7f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55F0A770E01215AF8B40DFAA980129EBBF4DB04280B20446DCD19DB320F370AA129FD0
                                                                                                                                                                                                                                          Function 0475AB90 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0a87c728e26f2c0132b0f2a39bd429aacc60c652bd0128b16326ba058fca7e08
                                                                                                                                                                                                                                          • Instruction ID: 9024c4048d1b92bf6ddd3a9a7c803fbbae7334708e5bb6a51397759a3b01e5ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0a87c728e26f2c0132b0f2a39bd429aacc60c652bd0128b16326ba058fca7e08
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57F0EC313053404FD3055A3A9855955BFF5EB8722175982FAE509CB3B2D964DC04C390
                                                                                                                                                                                                                                          Function 04754560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e404ad0ae959631dfa82c7715850995f8e13d30a141a1647ede2d027403c837
                                                                                                                                                                                                                                          • Instruction ID: 2722fed4ff659a77032902410b78719f207b0f702e68762d64b77245fa070dae
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e404ad0ae959631dfa82c7715850995f8e13d30a141a1647ede2d027403c837
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89E02B31300A00179615A76FA40055E7BA6DFC9664340443DE40E9F305EE64FC4647E5
                                                                                                                                                                                                                                          Function 0475C1D0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f48e3ac1ed2d143ca203249cbd80d39b445bf4573884c7ecc3517a75a242d14
                                                                                                                                                                                                                                          • Instruction ID: bfe003692d6adfaeecc75671d6c1d0cc7c088df906d02ad5ca405a018abb94ed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f48e3ac1ed2d143ca203249cbd80d39b445bf4573884c7ecc3517a75a242d14
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31E02B701097001FD6067665901919E3FE5EBC7364744006FEA41CB312DDA47C018BA1
                                                                                                                                                                                                                                          Function 04753CC0 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 65f3859b0577df55bc52f0e35b417d3fb0e4c8c8e17f0af1bd5e7cf4af589ec8
                                                                                                                                                                                                                                          • Instruction ID: 8837a74934d1f376c5ce66f5404d0f059e8528b630d31a20096d3b3e4775479b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 65f3859b0577df55bc52f0e35b417d3fb0e4c8c8e17f0af1bd5e7cf4af589ec8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10E0D83630A2901B5A06156E24250A97F79CAC396134540ABED45CB3A2CE55AC1A43E2
                                                                                                                                                                                                                                          Function 04756AAF Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 74f708f5c557e0f94876fe429eda86ef03a07bdfd9f7b407fc394efd54b59c67
                                                                                                                                                                                                                                          • Instruction ID: 0fe97ed8656a75bbfb601ec6c29bf9dc8014d64b4ed0745ee0718cac9c8d650a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 74f708f5c557e0f94876fe429eda86ef03a07bdfd9f7b407fc394efd54b59c67
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D4F06DB12052449FD311DF5CD880C817BF9AF5920478582AAE94CCF372E761ED26CB90
                                                                                                                                                                                                                                          Function 0475C678 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f7804a0890ebf906307bf95343f06641db4eb9d099bb6bfe6b1b81c390effd6
                                                                                                                                                                                                                                          • Instruction ID: 1832abbd03dc63c557c4a26c184629d3fa78414fdcbeff7037fde3add4b37dda
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f7804a0890ebf906307bf95343f06641db4eb9d099bb6bfe6b1b81c390effd6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F7E0D87A2063425FC70756314918161FFAADA4615430996E2DD048F322D9B0EC43C391
                                                                                                                                                                                                                                          Function 047546A0 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 936d3608f850dedd1dfc5fe2ccaf36a4c6e93b5c641cc5ed50ec785c1e458820
                                                                                                                                                                                                                                          • Instruction ID: 1d97fa3149419541702bb1c018e4e84b852f8ef6a77fc81565829566a2ba75a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 936d3608f850dedd1dfc5fe2ccaf36a4c6e93b5c641cc5ed50ec785c1e458820
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CDE086B58096085BE3118B5584412653B98D66330875418D6DC459F732F551FD83B7A7
                                                                                                                                                                                                                                          Function 04753C89 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cd9a4dc3bfe0cffcbb6a53304d86ac60b7220b8b5f3201a04936ffe051a89b3f
                                                                                                                                                                                                                                          • Instruction ID: b7ed4529b2658afc788ef2dde3ef5fb6dc2eba8fcd87248e894a9c5431dfa861
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd9a4dc3bfe0cffcbb6a53304d86ac60b7220b8b5f3201a04936ffe051a89b3f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8FE0262231E3948ADB06037634290B83F34C6832C534404E6EE4BCF3B3E652F8389350
                                                                                                                                                                                                                                          Function 047536B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction ID: 14fa8cc8d4f75924f9f16c6446010b925c5e8a05354c72a3195dc02353a04595
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 72E0ED70F0021A9F8B40DFA999001AEBBF8EB48190B10856DCD19EB320F272AA119BD0
                                                                                                                                                                                                                                          Function 04753CFF Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bd63a360b11425a093477c898b67a48a1c0be73db58b8cdbf05ebb10b2152504
                                                                                                                                                                                                                                          • Instruction ID: 2e4c87b711301a819814393a61e45df4718dac83d87e44b32993111381a85ee0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd63a360b11425a093477c898b67a48a1c0be73db58b8cdbf05ebb10b2152504
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 78E092B0919289AFCB00DF75E9155DCBBF8DB0621872084EADC44DB373E9317E119792
                                                                                                                                                                                                                                          Function 047517F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8129205c19f4a886e0cc272e1504274b338f378e82cf078bb3b9e8a473a24703
                                                                                                                                                                                                                                          • Instruction ID: c484f84b781c67037617d962377ddead306d31068e12b701ed1955f19fecab0e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8129205c19f4a886e0cc272e1504274b338f378e82cf078bb3b9e8a473a24703
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DDD0C23361D1840FC3021B60A8154A53F78DB5A12130840A3ED40CB362CA612C56D7D0
                                                                                                                                                                                                                                          Function 0475C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 41cd2c464925bc9342c9433144d720dc6db326528ad83697d60f0e75c8c696a6
                                                                                                                                                                                                                                          • Instruction ID: ef09dd33a6a4c0f0fe12c5dfda5a04a4ea961ec74e2fc38d70cfe04f9b28abed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 41cd2c464925bc9342c9433144d720dc6db326528ad83697d60f0e75c8c696a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42E0C23120570457D6147B6AE00459E7BEAFBC9768B84043DE44687701DE75BC418BE5
                                                                                                                                                                                                                                          Function 04753CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 513472874ddc1d0fe358a4f5844dd3132ac6af96b208f095434a393c75edf665
                                                                                                                                                                                                                                          • Instruction ID: 481a147ee66501dabcb06d9895ea0243f28201f89f2683ad6dd0856f83c27ce5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 513472874ddc1d0fe358a4f5844dd3132ac6af96b208f095434a393c75edf665
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 57D0A736311120131A04259F74244AE77BECBC5D62394003FEE0AC7340DF55AC0613E5
                                                                                                                                                                                                                                          Function 04756AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d4b7e966fbeeec077f236c7cd60cf8e01196108540212572ed005a4ee56b02b9
                                                                                                                                                                                                                                          • Instruction ID: f731636675c8a134e28e0cb881f4a0ac901fb14ef2fd49279315df0a91c4db68
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d4b7e966fbeeec077f236c7cd60cf8e01196108540212572ed005a4ee56b02b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 67E0ECB53042089FD314DF5CD880C91BBE9EF992543558199E94CCF722D762FD22CB90
                                                                                                                                                                                                                                          Function 04753938 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 233b5f8a5c2fd78b7c01232534bf5c77bdf12718f6f189ea1231f36406e0c931
                                                                                                                                                                                                                                          • Instruction ID: 9702870b1abbc2483a99961873d4cee7925cbb795b5b799949cb2be0f2a93935
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 233b5f8a5c2fd78b7c01232534bf5c77bdf12718f6f189ea1231f36406e0c931
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 01D0A756F4F3E02BCB1512B424195D9BF58CB82A68F0584E7DE089F772E6A9AC0143C1
                                                                                                                                                                                                                                          Function 047567DB Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f337da5bb51decab7528e7258aa43c7f13ca0e1c362b8a10870f6564edc58df8
                                                                                                                                                                                                                                          • Instruction ID: 98ce9ba58edbf94ef2dbc457e41536ab139a409c947a46b4a01e39a46337e867
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f337da5bb51decab7528e7258aa43c7f13ca0e1c362b8a10870f6564edc58df8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7ED01270915109AFCF01DF65D40545C7BB4EF442097408999EC245B222EA723906EB91
                                                                                                                                                                                                                                          Function 04750C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fc8207e54b57bbc10b56118c25eda24d03ba45944fbf4a6217f14ac021fac304
                                                                                                                                                                                                                                          • Instruction ID: 704a6102f40a04cc17497b7a1acf3f81fca4cf529e1733aeb0b33481d369a676
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fc8207e54b57bbc10b56118c25eda24d03ba45944fbf4a6217f14ac021fac304
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B8D0A7327240186B93006619D84997A7BA9E7893713504827FD028B320EDB17C4593D5
                                                                                                                                                                                                                                          Function 04753D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c1c296fb6ed61d7f1a975d0d0b9650ebed9602c025c5076cdb306d03628cdb4d
                                                                                                                                                                                                                                          • Instruction ID: 2b6cb784d33920c29a980dfbd0e1bc9d58c5edb7377f0c2bee4dd71378a0ca04
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c1c296fb6ed61d7f1a975d0d0b9650ebed9602c025c5076cdb306d03628cdb4d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3D01770A15109EF8B10EFBAE90159DBBF9EB48214B1085E9E909E7251EE317F019B91
                                                                                                                                                                                                                                          Function 0475E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8eed4ace09fbd596e8d33dc46b142465a994ffb4cf2345959df27dd1178cb072
                                                                                                                                                                                                                                          • Instruction ID: 80f14d69fd0d863f483105f4d96e9154351ac00bed3ca50b5bd7ad9b6c1ed1cd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8eed4ace09fbd596e8d33dc46b142465a994ffb4cf2345959df27dd1178cb072
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8E01270A0860ACBDB149FE1D5647AE7772FB04305F208418DC01EE354DBB46646CF40
                                                                                                                                                                                                                                          Function 04752968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0473bca4045c499681b51d984902d1a6033b2eba7e8c87d54eb16cdd7c7cfe0
                                                                                                                                                                                                                                          • Instruction ID: 45b8c0636cc469fc778609a36068304ee18cf6474d53171a88fb3b13876b5b71
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0473bca4045c499681b51d984902d1a6033b2eba7e8c87d54eb16cdd7c7cfe0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1ED05EB090920ADFCF00DFB5E94195DBFF9EB48200B208AA5A805D7210EE30AE00CB82
                                                                                                                                                                                                                                          Function 04753C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dc18a1280bebf42efceea760e7eca9e828f96dd02e10e0984d1ab60100b37ba4
                                                                                                                                                                                                                                          • Instruction ID: 2f9394aea3c0649914a344097f1f5ea5ca554f8ae9c322a0e4cadebcb16fc4ac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dc18a1280bebf42efceea760e7eca9e828f96dd02e10e0984d1ab60100b37ba4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14D01230315204CBCB48DB65E56557977B9DB886443408CACAC0FCB3A2EF66FD16C640
                                                                                                                                                                                                                                          Function 04750440 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c03f307c59d8df0cbdb625e5149d43738f124e12a1923606eb4a58462f5d9158
                                                                                                                                                                                                                                          • Instruction ID: f06703a36e5eb206f042d189c9fe67b865cd428f614ac5ee4752183cff6ef784
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c03f307c59d8df0cbdb625e5149d43738f124e12a1923606eb4a58462f5d9158
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EC080729587505BD2054A4C08484BBFFF8FFB3719B48C99FD484C9012F325A417D1E1
                                                                                                                                                                                                                                          Function 0475858F Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b148f900ac403fe7b854a9341e824b51098e8dac47f43b3f12c4654d45892f7
                                                                                                                                                                                                                                          • Instruction ID: 7226f9f0344ff9930e65e3c41d7817e77ccd3cbe4739325a886299e7780587c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b148f900ac403fe7b854a9341e824b51098e8dac47f43b3f12c4654d45892f7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5C012E290D6806FCF028AB08E6868E3FB0AB22701F16808AE991581A3D0A84412D727
                                                                                                                                                                                                                                          Function 047546B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c162ffd45866a48469fb7d8442ab060fef1a7ac2dd977a4c77f2c8b7f85798f9
                                                                                                                                                                                                                                          • Instruction ID: 574a675c0df188e68ba0a358c873803075467e54e622a569556155956bbef06d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c162ffd45866a48469fb7d8442ab060fef1a7ac2dd977a4c77f2c8b7f85798f9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6AB092B490530CAF8620DE99980185ABBACDB0A224B0001D9E90C87320D972A91066D2

                                                                                                                                                                                                                                          Non-executed Functions

                                                                                                                                                                                                                                          Function 0475F7E8 Relevance: 7.6, Strings: 6, Instructions: 148COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000004.00000003.1782098479.0000000004750000.00000040.00000800.00020000.00000000.sdmp, Offset: 04750000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_4_3_4750000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq$,xq$,xq$Hxq$`]yq$`]yq
                                                                                                                                                                                                                                          • API String ID: 0-2994989932
                                                                                                                                                                                                                                          • Opcode ID: aa0fd1038bf719f35b5a30c3cb53016c77ec25d1f01738d95235f80ddabd2910
                                                                                                                                                                                                                                          • Instruction ID: d50c728f77e14e48784d7d07b3c03752605b5b0500c45bf0e5ec50bac2ebd67b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: aa0fd1038bf719f35b5a30c3cb53016c77ec25d1f01738d95235f80ddabd2910
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6E412431B085189FDB245A3EA41446D77E6EF8AB2532400AFD906DF3B1DEA0FC4187D5

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 070D50B8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \VPm
                                                                                                                                                                                                                                          • API String ID: 0-1091993013
                                                                                                                                                                                                                                          • Opcode ID: c35a7ea6941320e1ff7130ca7df2b82fe27507cd032ca3a3ed060585f879590f
                                                                                                                                                                                                                                          • Instruction ID: 9417db14d063c6f3a5c34d5ed75c011bb221b8f5613da31d749589511e2bf85b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c35a7ea6941320e1ff7130ca7df2b82fe27507cd032ca3a3ed060585f879590f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C4B11BB0E0031ACFDB54CFA9CC857ADBBF2AF89314F248629D815E7294EB749855CB41
                                                                                                                                                                                                                                          Function 070D59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a8cee945f5721469dd2c69057d0c1ad692e8f42a7a1349b2a8ee5a5e0c664288
                                                                                                                                                                                                                                          • Instruction ID: 97bf0b5c784c40e3479ba0d2bc394a34b8c46c3fa78497e665e31e9b4abe1c67
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a8cee945f5721469dd2c69057d0c1ad692e8f42a7a1349b2a8ee5a5e0c664288
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05B15EB0E0031ACFDB54CFA9CC8179DBBF2AF88314F149629D815EB294EB749855CB91
                                                                                                                                                                                                                                          Function 070D1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: $tq$$tq
                                                                                                                                                                                                                                          • API String ID: 0-1837209516
                                                                                                                                                                                                                                          • Opcode ID: 2b332da4f30567f15eab17489d60cf4886da9acdcac4d24d1778bd6deaa84d2c
                                                                                                                                                                                                                                          • Instruction ID: c7ce6d283f41224a8bfdd1d81c5456e55e6a6870a1d7b9e41f003f7eac367c96
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b332da4f30567f15eab17489d60cf4886da9acdcac4d24d1778bd6deaa84d2c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC51A0B5B003099FCB15DFB9D8406AEBBF6EFC9250B14826AE409D7365DE309D42C791
                                                                                                                                                                                                                                          Function 070D50AD Relevance: 1.6, Strings: 1, Instructions: 311COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: \VPm
                                                                                                                                                                                                                                          • API String ID: 0-1091993013
                                                                                                                                                                                                                                          • Opcode ID: 8f109618a382f099772c26392743b851b1d3b9a0173b9bf0a968120d6f22c0df
                                                                                                                                                                                                                                          • Instruction ID: 0bb9b7a49d9e42babb0546f0c5480a491167d4d6b3b4fb25cd9915bdee5aef91
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f109618a382f099772c26392743b851b1d3b9a0173b9bf0a968120d6f22c0df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44C139B0E0030ACFDF54CFA9D8857ADBBF1AF49314F248629D815E7294EB749855CB81
                                                                                                                                                                                                                                          Function 070D1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: cef7c2c351d938c5ffe75e7d8a0a6f1283ac83bbf40d5743d92b382d709b92d4
                                                                                                                                                                                                                                          • Instruction ID: eb1d57e11f785727e9a264df6a7a435cc1fe074adaa94b68055c7e838e7c3d00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cef7c2c351d938c5ffe75e7d8a0a6f1283ac83bbf40d5743d92b382d709b92d4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0671F5B1B00308DFDF049BB5C8146AEBBE7AFC8300F158229E506EB3A4DE759C428781
                                                                                                                                                                                                                                          Function 070D0C1C Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: (xq
                                                                                                                                                                                                                                          • API String ID: 0-3100309293
                                                                                                                                                                                                                                          • Opcode ID: 8c944ee9133bff8517a9d34eed5cadc09ee0a7de2b70b9875b516860ae3ca7bf
                                                                                                                                                                                                                                          • Instruction ID: 484a4847a417af3099afdd042cc7eeb1e3e7dcdb3c0a1a928f811498c203c0d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8c944ee9133bff8517a9d34eed5cadc09ee0a7de2b70b9875b516860ae3ca7bf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C93139B07083599FDB15A77984203FE7FE39BCA310F15856AD406EB282CE784C058793
                                                                                                                                                                                                                                          Function 070D599C Relevance: .3, Instructions: 269COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3e86c013c021f1039cc3d53154cd406628a1761b5685d33a4852076df7ebc18d
                                                                                                                                                                                                                                          • Instruction ID: 54ab0b3d9ec41d9fc8b3036fd878fd3cf35430fe2c924d1297a46b653c30ae50
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3e86c013c021f1039cc3d53154cd406628a1761b5685d33a4852076df7ebc18d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74B15BB0E0031ACFDB54CFA8CC817DEBBF1AF48314F249629D815AB294EB749855CB95
                                                                                                                                                                                                                                          Function 070D2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4439ef464cc478ad1be21d8fc3ba1858d07d10808493ef9700d35ae0c10b8bda
                                                                                                                                                                                                                                          • Instruction ID: b13cf8cfaf0d3159f38b539a2ee9eff6bb5b593370e6bcbd3dd4586675ee6dd3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4439ef464cc478ad1be21d8fc3ba1858d07d10808493ef9700d35ae0c10b8bda
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3441F7B5B102149FCB54DFA8D98099EBBF6FF88310B14816AE905EB364DB31ED41CB90
                                                                                                                                                                                                                                          Function 070D1072 Relevance: .1, Instructions: 74COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 98a91b83a671c7a31c50c8b94130e7f0a825c471d46909596fda180123763193
                                                                                                                                                                                                                                          • Instruction ID: 87658267dac922a495faa74cea91119f5f56835de510944984ab1d4b92e413ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 98a91b83a671c7a31c50c8b94130e7f0a825c471d46909596fda180123763193
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 39110DF6B0031897CF159BB6DC406FEBBDA9B89250F058236D906D7380DE748D468791
                                                                                                                                                                                                                                          Function 070D2258 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cc4dc1661fc4c890c80b32f8a677c8d5394b5c4ccd4487b4f1cbe15f3eab90ee
                                                                                                                                                                                                                                          • Instruction ID: 04190e4681eef5bb1fbe14f27b2f5f38bae34c3b53da5c68572f32c1e9fe7d7f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc4dc1661fc4c890c80b32f8a677c8d5394b5c4ccd4487b4f1cbe15f3eab90ee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8721F7B5A10218AFCB44DFA9D88099EBBF5FF4D720B109129E905EB324DB31A841CB90
                                                                                                                                                                                                                                          Function 070D2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 01b954328651492fc807afbad81e98a7d6b55da2a877125f0f40f8003f0b379c
                                                                                                                                                                                                                                          • Instruction ID: 87b629535f0c6045361fb7077e5737138ce50e32047e8d8e4176fa642ff1171b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 01b954328651492fc807afbad81e98a7d6b55da2a877125f0f40f8003f0b379c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5B11A3B5B003148FCB55BBBD54205EE7BE6AFC8651B100639D50ADB344EF348E428BE2
                                                                                                                                                                                                                                          Function 070D1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 86523982a61b20acb2faeba1789e0b250e19d55fe3715d963cb0cf0afba51769
                                                                                                                                                                                                                                          • Instruction ID: 71558266aa123bff63824b60e76b6aa2491ff53615b01a5348f1f8fa7cdc6483
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86523982a61b20acb2faeba1789e0b250e19d55fe3715d963cb0cf0afba51769
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E32127B0D042498EDB14CFAAC440AEEFBF4FF88324F14852ED419A7240CB755905CFA1
                                                                                                                                                                                                                                          Function 070D1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 3125855bbdaa75bba3c101467f3ee530b3f012e91613c39fe2018312720a34b2
                                                                                                                                                                                                                                          • Instruction ID: 0d42be04186911a668e5c4f489edf80da0491b71c82b500b76c74482d60d500d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3125855bbdaa75bba3c101467f3ee530b3f012e91613c39fe2018312720a34b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8F1103B0D042498FDB14DFAAC880AEEFBF4FF88324F10852AD519A7240DB756905CFA5
                                                                                                                                                                                                                                          Function 070D2B08 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5eae6968ca1809cb549fe3fbb422984ce7137b18166178da0e10ac5df6a9fd9a
                                                                                                                                                                                                                                          • Instruction ID: bb4675028084eac1529fb155e64bf00225da5c5944cf1ca48c35548556ed6d83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5eae6968ca1809cb549fe3fbb422984ce7137b18166178da0e10ac5df6a9fd9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8101D2B5B003118FCB45ABB940206EE7FE6AFC8351B040669D809E7344EF348E428BE2
                                                                                                                                                                                                                                          Function 070D1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a847369ce53247d5b9f155ac6c3f545532365dd8b9b5ef996b977176b6cb4b3d
                                                                                                                                                                                                                                          • Instruction ID: 5b3285b9e0ff84c7dec373262024ec2eaf037cc95ad928f53663bf5c3a97ed1a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a847369ce53247d5b9f155ac6c3f545532365dd8b9b5ef996b977176b6cb4b3d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5116D31600204AFDB45CBA9D95AAA9BBF6FFCC314F214119E40AE73C0DF796895CB90
                                                                                                                                                                                                                                          Function 070D2A68 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 10042acb3828843933c487f5c7e37e3803e73324f6c1f6774b0f0b852f11ed18
                                                                                                                                                                                                                                          • Instruction ID: 1efb75eb3574f28cb98da0a4f075dcfb8aa53e1036becf8a726ddbe4973dcb24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 10042acb3828843933c487f5c7e37e3803e73324f6c1f6774b0f0b852f11ed18
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AB016DB9B00211DFCB04EFB8D5116AE7BF1EB8A311B20157AE909D7310EB319D52DB81
                                                                                                                                                                                                                                          Function 070D182A Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8ca17d3878110b4174154f7dfb85dfbb43f395177936f3b1ccd3cdd90deaef5b
                                                                                                                                                                                                                                          • Instruction ID: f89dd134566f6f72f4e5d21602fcbd2ebe631a29be99ec5b30d7050213693292
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8ca17d3878110b4174154f7dfb85dfbb43f395177936f3b1ccd3cdd90deaef5b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CF0188B1610309ABDB199A68C5557FF7AEA9BC9300F11422DD406F3340CF751D0097E2
                                                                                                                                                                                                                                          Function 04AFD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1795156660.0000000004AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AFD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4afd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8028d3c7cf415ccf96fa46d608fc139a08d5e17d5c563560155fb6384eae25ec
                                                                                                                                                                                                                                          • Instruction ID: a6f34bf760a188c9be839b7069fde5c486e06f3934fbe37c9e1aad282006df33
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8028d3c7cf415ccf96fa46d608fc139a08d5e17d5c563560155fb6384eae25ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3B012B71504340AAF7228F66EC80B67BFA8DF41360F08C52AFE4B4F182D378A841C6B1
                                                                                                                                                                                                                                          Function 04AFD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000002.1795156660.0000000004AFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AFD000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_2_4afd000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d05c5c30dc039a250bdc37bb7f90fcfc81bee970e49ab2bd37d18db5a450d928
                                                                                                                                                                                                                                          • Instruction ID: e7421bfc45e09d52bb543d2dcbca69dea8c6cfde6a573e6f769364463f43aa8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d05c5c30dc039a250bdc37bb7f90fcfc81bee970e49ab2bd37d18db5a450d928
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 10014C6100E3C09EE7138B259D94B52BFB4DF43224F1981CBED898F1A3C2695849C772
                                                                                                                                                                                                                                          Function 070D1440 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ba9e863a5112816f06cea956f5ebc923ad98d5332f9eb7220927ab834fd5e93f
                                                                                                                                                                                                                                          • Instruction ID: 3b65b21cc37bd023d9ecb3c8531c83cb443310556c885ec5542e00d0ccea6188
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ba9e863a5112816f06cea956f5ebc923ad98d5332f9eb7220927ab834fd5e93f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F701DBF06093465FC74F5B79693A1267FE6BEC610430B0AAAC545CF192FA285818C7D1
                                                                                                                                                                                                                                          Function 070D2997 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ff424f7da3daa7d67a55753bdc161c7a9fc61a25220f758b0e4a651687e0761d
                                                                                                                                                                                                                                          • Instruction ID: fe14b15ea6431f762a8892ec6e187305d2d5d5f06f752637ab83017c8236d3fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff424f7da3daa7d67a55753bdc161c7a9fc61a25220f758b0e4a651687e0761d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F701F4F13003415FDB0667B0EA0168A7F92FF81210B05C6AAF6018F291EF659882DBD2
                                                                                                                                                                                                                                          Function 070D2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 442f99160e16abafd9c06e51789cc9bd431e58f0a70cff33cb05916d6f040551
                                                                                                                                                                                                                                          • Instruction ID: 6599c9b585ec957344dc6b3c34741fca723952c5d6105f9167ce52d1a6fb2d61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 442f99160e16abafd9c06e51789cc9bd431e58f0a70cff33cb05916d6f040551
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FF016DB5B103148FCB04EFB8D4056AEBBF5EB89611B104169EA09E7310EB319D42CBC0
                                                                                                                                                                                                                                          Function 070D1431 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 638b206f40caee2d4325415fa01cc0e65250283af08c8bcaab789d91f04c2b27
                                                                                                                                                                                                                                          • Instruction ID: 3c518339f9517ad01d835fd8ebbda300c470a39a60804797af6bfb50185fe5c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 638b206f40caee2d4325415fa01cc0e65250283af08c8bcaab789d91f04c2b27
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5F0C8F06043065EDB4E97BAA92B1267FD6FEC52143060A6ED545CF191FA284814C7D1
                                                                                                                                                                                                                                          Function 070D29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e9f0900846238b7db546d9871f9a044b86d6559852aa41fa98e79c924aa830a6
                                                                                                                                                                                                                                          • Instruction ID: 1b681438e23e322cedb2974ae00a1b888f7efbbcc0fa25d0328075ff231ccf63
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9f0900846238b7db546d9871f9a044b86d6559852aa41fa98e79c924aa830a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6EF090B03003019BDB09ABB5EE05A5A3B96FB80610B008639F6029F650EF659880D7D1
                                                                                                                                                                                                                                          Function 070D2A20 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 767910831760660a6c6723fd4eacead76c7d304a483305474fe5eecc511d535c
                                                                                                                                                                                                                                          • Instruction ID: c3746af8bce9ef124154cb9c60729d19f1db5894da9bc53f845c8e89748aaa4b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 767910831760660a6c6723fd4eacead76c7d304a483305474fe5eecc511d535c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74E0D8B130A3E24FC716063569151FD3FD47E8353034B83ABE00ACA182DB0E8D42C391
                                                                                                                                                                                                                                          Function 070D5EB0 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e3da58c9a837e37091e0a8cf36e4a25379b549bd2ed41c7fbfbb025b368643c8
                                                                                                                                                                                                                                          • Instruction ID: 89127b953932d92a8657b819fa4e5e80728358ede559914b13107a3d8cbca3eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e3da58c9a837e37091e0a8cf36e4a25379b549bd2ed41c7fbfbb025b368643c8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8DE0C2722083645FC70197B8E4108967FAC9F0B62071640E7F545CF277CA519C4187A6
                                                                                                                                                                                                                                          Function 070D2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 88d32f5c6874c02f97bb7eed62ad46e430cbb858ff39a70a28d8fcc27a562c83
                                                                                                                                                                                                                                          • Instruction ID: 0441b35acd07832658920bcca5690690db495277bb6c6ecb273e33557827dd1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 88d32f5c6874c02f97bb7eed62ad46e430cbb858ff39a70a28d8fcc27a562c83
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4DD05BB13057258BDA14167A69153BE35DCFB41661B428225F41AD6280DF4DCD418395
                                                                                                                                                                                                                                          Function 070D17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 92d123be26375e35c816434501c50feca02150a179f4727621b50fd291ed34a7
                                                                                                                                                                                                                                          • Instruction ID: d45005fd2dfc64bf6e1636ee7cc3c53235ff8905878c62ad8b39e1d8ab3ce69a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92d123be26375e35c816434501c50feca02150a179f4727621b50fd291ed34a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15E02B73219384AFC3061B70D8114E5BFB8EF1A2203040163F841C7662DE711C51C7D2
                                                                                                                                                                                                                                          Function 070D2959 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 00c63d9e8f15bea61589d4ffc46054ed52c30d7f406aead9f577c2b76017992d
                                                                                                                                                                                                                                          • Instruction ID: aed85eca96091b6c071fe79f0167c17fcc2cb7dfe292d1c72643e6d6e6906d9f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 00c63d9e8f15bea61589d4ffc46054ed52c30d7f406aead9f577c2b76017992d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16E04FB1A0A34AAFCB05CBB0E90469DBFF5EF4630072155EAD844DB161DA311E45D782
                                                                                                                                                                                                                                          Function 070D0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6fd78322274560deb3d6f8ecfe2b10dc46bd66b3c58dda2b434794da527e8fac
                                                                                                                                                                                                                                          • Instruction ID: 219ed0942fc5b8c1d4901a667a32f391799748de10e21875bd09dd544a939647
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6fd78322274560deb3d6f8ecfe2b10dc46bd66b3c58dda2b434794da527e8fac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1D0A9B13202249BC604A2ADE85096E33ADDB8F724B0009AAF60ACB360C992EC000389
                                                                                                                                                                                                                                          Function 070D0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78ae0b695c5e469e786bae2ac28da1114a3d01f8b0c416ff8c4675e88357906b
                                                                                                                                                                                                                                          • Instruction ID: 5b2fc5666179b058085b8a3b3b1786b810e68a16a49a926e16abcd42a072a72b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78ae0b695c5e469e786bae2ac28da1114a3d01f8b0c416ff8c4675e88357906b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A4D0A7B222031C6B86006799D84597A7B99E78D3617504633F90687210DD716C5483D7
                                                                                                                                                                                                                                          Function 070D2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 886d942782f4ff6d3d7270bddc15830075e87d1e2be0c61fbc1486e5861defa4
                                                                                                                                                                                                                                          • Instruction ID: 80d7e272c3d691ea730acc1de67e9cc69115e326f2db586b09d367b25dd84e46
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 886d942782f4ff6d3d7270bddc15830075e87d1e2be0c61fbc1486e5861defa4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5D05EB190520ADFCF00DFF5E941A5DBFF9EB48200B2086A5A805E7210EE306E808BC2
                                                                                                                                                                                                                                          Function 070D0440 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 00000005.00000003.1794232991.00000000070D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 070D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_5_3_70d0000_rundll32.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 40c1a31be53c5e2e5b5a7ce4f9e20ded63e1769162d812f3b787bad20a3d6e44
                                                                                                                                                                                                                                          • Instruction ID: 69262e408f7d14f7b951badaba66edf3cca2ab125987284cc90f83d66f1da4a4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 40c1a31be53c5e2e5b5a7ce4f9e20ded63e1769162d812f3b787bad20a3d6e44
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C5C0127505D3806FC703476099024D4BF727A1331174A8396D04085456C22D0875D7B2

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B3E6058 Relevance: 4.6, Strings: 3, Instructions: 807COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: N_I$N_^$N_^
                                                                                                                                                                                                                                          • API String ID: 0-3680607079
                                                                                                                                                                                                                                          • Opcode ID: 3477d926b1ea6d5dabcfa3020af9b38511442541ee8334a3ba55726bdc39f5fd
                                                                                                                                                                                                                                          • Instruction ID: eec7d61d7dd344aa27ef0d0d6bf73f012eb765c767c10e4b82916dc226eafadd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 3477d926b1ea6d5dabcfa3020af9b38511442541ee8334a3ba55726bdc39f5fd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A7327E23B0E9990BD765FBACA8651E97B91FF85330B0542BFD18CCB0E7DC1869468381
                                                                                                                                                                                                                                          Function 00007FFD9B3E57E8 Relevance: 3.0, Strings: 2, Instructions: 451COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: N_^$N_^
                                                                                                                                                                                                                                          • API String ID: 0-324526423
                                                                                                                                                                                                                                          • Opcode ID: 2669d4a0f485ba982dadb3b8612d2729b2a96a6aa52aa400c57fea39a5c43b9a
                                                                                                                                                                                                                                          • Instruction ID: f936f76f731968eef36acef5c81e72542a93c8cd5cafa0ba925b61c0bed59daf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2669d4a0f485ba982dadb3b8612d2729b2a96a6aa52aa400c57fea39a5c43b9a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 26D16F26B1E6960FE325B7BCA8621E87FA0EF41335F0901BBD19DCB4E3DD58544A8391
                                                                                                                                                                                                                                          Function 00007FFD9B3E0C1D Relevance: 1.2, Instructions: 1156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 690d221f1538df3f4032e3355f31aa4cfb4f069ed1b897bfe58b88f8e74c5eec
                                                                                                                                                                                                                                          • Instruction ID: 8453f9fe1b947c6766adb69326c37349ec1f786bbda8230f7268d5a42ab7d20b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 690d221f1538df3f4032e3355f31aa4cfb4f069ed1b897bfe58b88f8e74c5eec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 11A21870A1551D8FDBA9EF18C8A5BA9B3A2FF58304F5041FED01ED7295DA35AA81CF00
                                                                                                                                                                                                                                          Function 00007FFD9B4D0853 Relevance: .9, Instructions: 945COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1875301241.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b863c61ca17ee1cffbc2412b6fbafbfabcef5b62b5e198a93859d1a15e727c8f
                                                                                                                                                                                                                                          • Instruction ID: 4ee1f8b71f0c6ec06692efff7722c1851244a680fa3f7836a11de5e8f162a1a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b863c61ca17ee1cffbc2412b6fbafbfabcef5b62b5e198a93859d1a15e727c8f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55F1F420B0DA494FEBA8976C943563877D2EF9A714F1502BED08EC72E7CD19AC02C381
                                                                                                                                                                                                                                          Function 00007FFD9B3E0C89 Relevance: .9, Instructions: 894COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7e1cf8c61786ff7f4c2df8f63c37ac001be8d673aaf6d6706895f273416069b0
                                                                                                                                                                                                                                          • Instruction ID: 453086f11639a48233917eacf0b6bd7ea92fb805b459efdbdea4f94029f3a54e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7e1cf8c61786ff7f4c2df8f63c37ac001be8d673aaf6d6706895f273416069b0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E721870A1591D8FDBA9EF14C8A5BA9B3A2FF58304F5040FED01ED7295DA35AA81CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3E187E Relevance: .6, Instructions: 606COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e199cb9f23a25679d7596fefcc05868f6aa2fc55aa1537a6d43bc05cfe1adbdb
                                                                                                                                                                                                                                          • Instruction ID: 01c159d71c65361ca3f342de3128a56b80a338949d63fc8735e4687562f511de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e199cb9f23a25679d7596fefcc05868f6aa2fc55aa1537a6d43bc05cfe1adbdb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7221B70E1562D8FDBA4EE68C8957A9B3B1FF59301F5040BAD01DE72A1CA75AE81CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3EC99E Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8134fca9afb348b18e81d397190d11a9499ac7b190348d991b00c7a1a3668c2e
                                                                                                                                                                                                                                          • Instruction ID: e15d4d992fd8472387464357b9af1c289af07eb0f97ab21eb0dcb7eb5b9a1b2a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8134fca9afb348b18e81d397190d11a9499ac7b190348d991b00c7a1a3668c2e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AD18630A18A4E8FEBA8EF28C8657ED77D1FB58300F54426ED80DC7295CF7499858B81
                                                                                                                                                                                                                                          Function 00007FFD9B3E3368 Relevance: .3, Instructions: 332COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b4bed4990d9f97f16df374bc6c1a7afe3b90f9eb65adf382e46d163787120b30
                                                                                                                                                                                                                                          • Instruction ID: ce5ed9b5b4c84161ca245a309914619cb46265c55164790de267d7e644ea1167
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b4bed4990d9f97f16df374bc6c1a7afe3b90f9eb65adf382e46d163787120b30
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 30B17A30E09A5D8FEBA5EA68C8557A9B3B1FF55300F1101BEC00DE72A1DF35AA81CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3E1E7E Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e67cabf78012cebed80eb95494458ecb98a06997f15b3836bb452753299ecb6b
                                                                                                                                                                                                                                          • Instruction ID: e3fcdfcd728d50ae4edf3fa87d3df2ba215d546614433f9d03c988364f136246
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e67cabf78012cebed80eb95494458ecb98a06997f15b3836bb452753299ecb6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D9514B70E1562D8FDBB5EE6888957A9B2B1FF59300F5140BAE01DD72A1CA75AE818F00
                                                                                                                                                                                                                                          Function 00007FFD9B3E1E88 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7094f0a97cf10672a51695862428d56d692a9d9c2f950fac4807c53e455627e1
                                                                                                                                                                                                                                          • Instruction ID: 94cb1b9019eb4ee5d31391e44dce4ab4599b070e6343ea28072bc906c010ff09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7094f0a97cf10672a51695862428d56d692a9d9c2f950fac4807c53e455627e1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56414C30E1561D8FEBB5EA68C8963A9B3B1FF54300F1141BAE01CD7291CA79AE818B40
                                                                                                                                                                                                                                          Function 00007FFD9B3E1EB6 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9e8d9088c68da8eb58903512ae1b63bd8072bedd2301fae5d331b54542c4d26d
                                                                                                                                                                                                                                          • Instruction ID: 770599c4a6c29e39cd99b591d4df48bcc14ed2688db838d9426ab6ff82e36f04
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9e8d9088c68da8eb58903512ae1b63bd8072bedd2301fae5d331b54542c4d26d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06412870E0562D8FDBA5EF2888957E9B3B1EB19300F4141EAE00DE7291CA34AF81CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3E5730 Relevance: 2.8, Strings: 2, Instructions: 320COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: c$N_^
                                                                                                                                                                                                                                          • API String ID: 0-768855989
                                                                                                                                                                                                                                          • Opcode ID: 397fed376306250efa989ef1d3e7d9570b53df0176c0b130eb131a1d1b001926
                                                                                                                                                                                                                                          • Instruction ID: 981602caf378a172f4763cd20b78ecbcab8dfb4dac87814f12a4f3ee6f868f34
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 397fed376306250efa989ef1d3e7d9570b53df0176c0b130eb131a1d1b001926
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA91F917B1E6A607E32573AC78721E93FA1DF81275B0902FBD2DDCA4D3DC48548A42D5
                                                                                                                                                                                                                                          Function 00007FFD9B3E82F8 Relevance: .4, Instructions: 383COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea30f52a8f96519f4dc41a62a6187aad05f6a1f014c52731f9f0519fc740e12d
                                                                                                                                                                                                                                          • Instruction ID: 754eabd3637c6dcc58c862e01611fa434b3c560e5e7f5a493c5d85cee28d2c69
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea30f52a8f96519f4dc41a62a6187aad05f6a1f014c52731f9f0519fc740e12d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8EE18370E1991D8FDBA8EB58D498BA9B7F1FF59301F5041AAD00DE72A1DB759A80CF00
                                                                                                                                                                                                                                          Function 00007FFD9B3E673A Relevance: .4, Instructions: 382COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5ea4097507ef96716531bebb6b486883c5865d192cb9c40ad1ef33c36d3c893c
                                                                                                                                                                                                                                          • Instruction ID: f31e2c779ed2993910308b9495240df2dd89d2af85700b4626d5da88381af164
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5ea4097507ef96716531bebb6b486883c5865d192cb9c40ad1ef33c36d3c893c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2DD13D71E0E68F4FEBA5EB6888656A53BE0EF55310F0541FFD459C71E3D918A905C380
                                                                                                                                                                                                                                          Function 00007FFD9B3E2FF8 Relevance: .4, Instructions: 377COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 093efbb43d1b0a0e42f413792a339c83357f0b0fc9688f9929b9a7127ff69443
                                                                                                                                                                                                                                          • Instruction ID: 9a425ccfe3f16d55a862286c5bb1efc5cc51a40c70fa3f2755718b01b660bb0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 093efbb43d1b0a0e42f413792a339c83357f0b0fc9688f9929b9a7127ff69443
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6DB10917B1E1A64AE311B7BCB4719E93FB1EF81239B0842B7D1DD8E0D7DD1864CA8294
                                                                                                                                                                                                                                          Function 00007FFD9B4D0001 Relevance: .3, Instructions: 347COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1875301241.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1f246ceeef3ffb9f46d4cfcf0fef6aa298c9ffdb7ad1d0f0d5428f22ae137bd6
                                                                                                                                                                                                                                          • Instruction ID: 7ad51dfaf5559a800cc793b6e9b3b58a9cb2cd8b570cde8f92ab1bce6b881488
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1f246ceeef3ffb9f46d4cfcf0fef6aa298c9ffdb7ad1d0f0d5428f22ae137bd6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A8A1E461B0EA8D4FEB66DA6C98755347BE1EF96710B0602FBD489C72A3DD18BC02C341
                                                                                                                                                                                                                                          Function 00007FFD9B3EB6EE Relevance: .3, Instructions: 339COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7a38c046eae43f26a7681db22b5eb580870fc9f1561ae2a1cfb33aaf3314af75
                                                                                                                                                                                                                                          • Instruction ID: 1a41d7e68e617058ab7e3f87e53a009392ce1ef0c06ee6c31be8cc037c62190c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7a38c046eae43f26a7681db22b5eb580870fc9f1561ae2a1cfb33aaf3314af75
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06B18630A18A4D8FEBA9EF28C8657E977D1FF58300F44426EE84DC7295DF74A9448B81
                                                                                                                                                                                                                                          Function 00007FFD9B3ED7A0 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1fc879b834dfa369f8d960c125b26dc0035f6609cee913131bd0e54cc8a32cee
                                                                                                                                                                                                                                          • Instruction ID: 4b8681d15c118cf9830a3dd21c3bf5f00461b648e93b1bad44cb9c1dd2a2adca
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1fc879b834dfa369f8d960c125b26dc0035f6609cee913131bd0e54cc8a32cee
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BEC1B570A18A5D8FDF94EF68C894BA8B7F1FF69301F1141AAD00DE7261DB34A981CB41
                                                                                                                                                                                                                                          Function 00007FFD9B3E1B2F Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18461dbcc4fafedd168eb6d571fb1a1ae35de91b8929d737b909a74a1868be2f
                                                                                                                                                                                                                                          • Instruction ID: 741bcbad9b4616780c3398988106610424422edde9f04ba8e819354cb7f44129
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18461dbcc4fafedd168eb6d571fb1a1ae35de91b8929d737b909a74a1868be2f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 05911770E1562D8FDBA4EE28C8957E9B3F1FF59301F5040B9D04DA7295CA75AA81CF40
                                                                                                                                                                                                                                          Function 00007FFD9B3E7DC1 Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c253eea71d367845aad6b6398a6173337e68b1bf3b0b52a8e459c84cc70aeeaf
                                                                                                                                                                                                                                          • Instruction ID: 9e50f018a04c57da14522b5b19845a3044c17a32ac826b8fdbe1187c06fe9e0a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c253eea71d367845aad6b6398a6173337e68b1bf3b0b52a8e459c84cc70aeeaf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5E61F971D0E68D9FE751EBA88C295A97BF0FF56320F0501BBD058CB0E3DA289946C741
                                                                                                                                                                                                                                          Function 00007FFD9B3EE641 Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cd261aa09daa05d262e366f5e2ed9958c1a674a0dae34528d7e675a9e72d0b78
                                                                                                                                                                                                                                          • Instruction ID: b88b23b7eb94aa0acac7f9ca7e5ed12b95cae6730246976f8cedf16c74045895
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd261aa09daa05d262e366f5e2ed9958c1a674a0dae34528d7e675a9e72d0b78
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45614C30E0965D8FDB94EF98D865AEDBBF1FF59300F15046AE009E72A1DB34A940CB50
                                                                                                                                                                                                                                          Function 00007FFD9B3E946C Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: acd3e66bd094e834be156ae39fe20989fde8b58276f6eda671ec89008355f8e6
                                                                                                                                                                                                                                          • Instruction ID: 1187d4b6020d716e11ea80854eb843a575d70721b129477d71ccaab133fcfe09
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: acd3e66bd094e834be156ae39fe20989fde8b58276f6eda671ec89008355f8e6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1B518431918A1C8FDB68DB58D855BE9BBF1FF59310F0082ABD04DD3296CE34A9858F81
                                                                                                                                                                                                                                          Function 00007FFD9B4D04DE Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1875301241.00007FFD9B4D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B4D0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b4d0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c5d26737225429ba93538c391a5b5124af31c11ea8557911c1ea634f6a640725
                                                                                                                                                                                                                                          • Instruction ID: c34f99cbb547a0493ee0a78d7d21eaf0cd052f44028fe535117dbf51d250deeb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c5d26737225429ba93538c391a5b5124af31c11ea8557911c1ea634f6a640725
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 06412C62B0EA890FE796976C58765643BE1EF9661430A02FBD089C72B7DD18BC43C341
                                                                                                                                                                                                                                          Function 00007FFD9B3E59E8 Relevance: .1, Instructions: 145COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e5adb785df9fd8bb96cd4beee0b0686945a0a6649c516a567b4bea18df87c0d1
                                                                                                                                                                                                                                          • Instruction ID: ae207e168425024b6416111eb1ad2ba24d7e85140cfbcc7ab164b4b6c556b779
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e5adb785df9fd8bb96cd4beee0b0686945a0a6649c516a567b4bea18df87c0d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55416831E0A24F4FEB79FB6888620A937E1FF55314F56007FD019CBAE1DE2895058341
                                                                                                                                                                                                                                          Function 00007FFD9B3E7A45 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 83f091242ebdf1ed99be8765fd23b896218fb9490c488681fa5b512f75bec714
                                                                                                                                                                                                                                          • Instruction ID: 35c25754f1a5f23e941ea903b39d26dfa9659c5115f6b902e71aa93944e04136
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 83f091242ebdf1ed99be8765fd23b896218fb9490c488681fa5b512f75bec714
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B419A70E09A4D8FDB54EFA8D8556E9BBF1FF59300F10017AE008E72A1DA39A941CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3E7C51 Relevance: .1, Instructions: 117COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 87e3df33c994bfb2850d94dd08418362f3dce22222e63d38ab8d22d45c4aa515
                                                                                                                                                                                                                                          • Instruction ID: 017a3f2dd996f00c29258eb1719235152ee07ee4b822f3343b1144d7061e160a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 87e3df33c994bfb2850d94dd08418362f3dce22222e63d38ab8d22d45c4aa515
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8D319E71E19A4D9FDB50EFA8D8456AAB7F1FF59310F00027AE008DB291DB39EA418B40
                                                                                                                                                                                                                                          Function 00007FFD9B3ED1F4 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1b79756e0f7072c25e0e098b4c69763963003a00ffea3f163a3eaf3b0b1fd41
                                                                                                                                                                                                                                          • Instruction ID: 2cd7db9637fdd850a19cebab1beee48b328541f77b065ae3ca393119c2c238c3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1b79756e0f7072c25e0e098b4c69763963003a00ffea3f163a3eaf3b0b1fd41
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0D310630E1990DDFDBA4EBA8D465AECB7B1FF59301F51107AD019E72A5CB39A981CB00
                                                                                                                                                                                                                                          Function 00007FFD9B3E4EFA Relevance: .1, Instructions: 93COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 53b0321bc71289f055fd5a9565567c37c2219818e64601decf2ec07d567b02ae
                                                                                                                                                                                                                                          • Instruction ID: 4d30380f38fcee9993113882efaff748f41e99fad4e5e017a0308467cceafca2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 53b0321bc71289f055fd5a9565567c37c2219818e64601decf2ec07d567b02ae
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E21F432A0EA9D4FD715EF68A8715DA7BA0FF49320B0502BBE45CC72A3CD649946C391
                                                                                                                                                                                                                                          Function 00007FFD9B3E3B7D Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 62dcc021af11c551754465c6a9b49403d91f062b7f6e5a94c983394e152fc4a5
                                                                                                                                                                                                                                          • Instruction ID: 4ca6f59b3d55d71b83ea3bb0df3302fde574a754d1dceb7b45ead7a376b656c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 62dcc021af11c551754465c6a9b49403d91f062b7f6e5a94c983394e152fc4a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0C21AE71E08A4D8FDB54EFA8D8116EEB7F0FF49310F01027AE009E7282DB79A6448B41
                                                                                                                                                                                                                                          Function 00007FFD9B3E483D Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: de687545760ca813ac9b1a6645e52251d46caa9a0d111115db7231e9a5f7ef56
                                                                                                                                                                                                                                          • Instruction ID: d4c32b724cc57d7c9fad076f9d4f3c4549ddb3b010ce41f4f4301694c8177941
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: de687545760ca813ac9b1a6645e52251d46caa9a0d111115db7231e9a5f7ef56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6411E932A0A6DD1BE720FF6898B51ED3B61FF45214F0606BBD49C870E3DD256985C341
                                                                                                                                                                                                                                          Function 00007FFD9B3E49F1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 384a6019397e274834b1239760e8a535a5a2f2f2f6c42e7ba629cb34781ca5d1
                                                                                                                                                                                                                                          • Instruction ID: 390ca0ad02c454a45ce2e38c7e4fd615114a9d2cd3341164a7850bf00d8bede2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 384a6019397e274834b1239760e8a535a5a2f2f2f6c42e7ba629cb34781ca5d1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B311FE3460564D8FDBA4EE68D055AAA73A2FF8A304FA2447CD41DCB256CE37E942CB40
                                                                                                                                                                                                                                          Function 00007FFD9B3ED12C Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f990ac0ded1f8aa91997174200bb681d47c9fec0070f99fd6dce02e6c4e3cffc
                                                                                                                                                                                                                                          • Instruction ID: 067a8b7474db87860a37b47e4425e4ec63735fe52ba0f42e059ca8559d3b9296
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f990ac0ded1f8aa91997174200bb681d47c9fec0070f99fd6dce02e6c4e3cffc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0F119271E1991DDFDF94EB98E494AECBBB1FF59301F54017AE009E72A1CA35A8428B00
                                                                                                                                                                                                                                          Function 00007FFD9B3E4813 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f333ad90a1451cf41d763bbf9b9dd095d949eb576e9e49da07b6887f60bc88b9
                                                                                                                                                                                                                                          • Instruction ID: cfdfdc5beef398d7525e223419b688849c3ea52b43e855303571030ab0348c81
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f333ad90a1451cf41d763bbf9b9dd095d949eb576e9e49da07b6887f60bc88b9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1D018431A1E9CE4BE765EFA488642BE76E0FF19300F4604BEE45C821E2DE35BA54C241
                                                                                                                                                                                                                                          Function 00007FFD9B3E79CC Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2e116f6d37b191b253c013ac194b80ebbcdd3ebecc75b93777708c6055139743
                                                                                                                                                                                                                                          • Instruction ID: 27d20d84fbc4241f1e188bb3561661f9050498fce9ec03ab0a9e77b53fb5a000
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e116f6d37b191b253c013ac194b80ebbcdd3ebecc75b93777708c6055139743
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 60018B70F2480E4FEB94FBA89466AADB7B2EF94200F500176E018DB1AADE6568424300
                                                                                                                                                                                                                                          Function 00007FFD9B3E798A Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9bad7b1071da53ed1eecf1429786599d39cccf89e2450af9522bab7ab1e5e49a
                                                                                                                                                                                                                                          • Instruction ID: 201e5a85e70b84c4a80261ab2bed568ea1b1d10ce9b6629afdc054b47f4d29f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9bad7b1071da53ed1eecf1429786599d39cccf89e2450af9522bab7ab1e5e49a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D8F05E30F2445E8FE754FBE89466AEDF7B1EF80300F500176D018DA1AACE7968014701
                                                                                                                                                                                                                                          Function 00007FFD9B3E6E93 Relevance: .0, Instructions: 7COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000C.00000002.1874983969.00007FFD9B3E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B3E0000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_12_2_7ffd9b3e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction ID: 577892e5e5c00994a01019b9d3b6b9126a0a43056d8be021f55c2d23d24972c6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4db7e997fc44cbe5bcde5953b4116c764836bf346ba6dd5c1a6b7f147ab74357
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FFA00242BCF47E02D864B0DD78620D8B244C785171BC66577ED0C8415A989E2ED60285

                                                                                                                                                                                                                                          Executed Functions

                                                                                                                                                                                                                                          Function 00007FFD9B6252AD Relevance: 8.2, Strings: 6, Instructions: 667COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: @#w$H#w$P#w$X#w$`#w$h#w
                                                                                                                                                                                                                                          • API String ID: 0-3784290373
                                                                                                                                                                                                                                          • Opcode ID: 8f3c2399ec8bf3510d9c417615d2673d51c4c3c98964022a8358b2431754c61a
                                                                                                                                                                                                                                          • Instruction ID: d6a59e0721df8f859ae20e659b9a498a60a3b61f3cbbe864807ac2e68796cec9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f3c2399ec8bf3510d9c417615d2673d51c4c3c98964022a8358b2431754c61a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1422F231B0DA494FEBA4EB6888696B577E1EF96310F1500BAD05ECB1E3DE29BC41C740
                                                                                                                                                                                                                                          Function 00007FFD9B61693C Relevance: 2.2, Strings: 1, Instructions: 984COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: :9_H
                                                                                                                                                                                                                                          • API String ID: 0-3494679039
                                                                                                                                                                                                                                          • Opcode ID: c52e354fb181c1b57896db67afec227f5771ee4035570ef19894ba83ac1e8c57
                                                                                                                                                                                                                                          • Instruction ID: 6d94aa40c8b0bdea56aae6381af51c4519a5c5cbc51c39a088328f26c0332486
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c52e354fb181c1b57896db67afec227f5771ee4035570ef19894ba83ac1e8c57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0962F570B09A0E4FEBA8DBA88465A7977E2FF94304F5540BDD01DCB1A6DE29BD42C740
                                                                                                                                                                                                                                          Function 00007FFD9B404E5C Relevance: 1.4, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: [<M_^
                                                                                                                                                                                                                                          • API String ID: 0-1933004158
                                                                                                                                                                                                                                          • Opcode ID: 49c4774dfc1c6e4a21c8ace69e5fe575410e84d8ab4a87b19ba961b18e9af80f
                                                                                                                                                                                                                                          • Instruction ID: 0f01b6bafb5bdde55ed846ced20f2620faf3740b5f3f556414726b9285d663a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 49c4774dfc1c6e4a21c8ace69e5fe575410e84d8ab4a87b19ba961b18e9af80f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FC41BC71A0A64E8FD768EFA4C4646EDBBF1EF45314F0904BDC049A72E2CA385981DB40
                                                                                                                                                                                                                                          Function 00007FFD9B611895 Relevance: 1.0, Instructions: 970COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1d245a487e84f14b9bd2335222d2baf73a6a3921346d837e348a9d84327574c7
                                                                                                                                                                                                                                          • Instruction ID: 84ed01548a116c2a5f25e991504113bf146b4f871cd6f59067342985a7bfec59
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1d245a487e84f14b9bd2335222d2baf73a6a3921346d837e348a9d84327574c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E52C731B1DA4D4FEBA8EB6C8465BB577E1EF98300F0541BAD05DCB2A6DE28BC418741
                                                                                                                                                                                                                                          Function 00007FFD9B40CFB8 Relevance: .8, Instructions: 761COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6914d0424a8bc4c57b7862603a7a70b31fc5ad8546dc7663971d1d9403697d60
                                                                                                                                                                                                                                          • Instruction ID: a260d74a2bf23f86b0bae9599e97c46f3f1683a4677f17b07bf77480705c772e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6914d0424a8bc4c57b7862603a7a70b31fc5ad8546dc7663971d1d9403697d60
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 61323B30B1DB894FD365DB68C4616B6BBE1FF96304F0545BED0CAC71A2DE28A842C741
                                                                                                                                                                                                                                          Function 00007FFD9B411D48 Relevance: .5, Instructions: 491COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6d9ee6cdc0edf830ff07a1889e2044e1804d4a5bfb1d414a2184a2c947a87c48
                                                                                                                                                                                                                                          • Instruction ID: 5bc42d862e4e582de9fd31b4f212be849f06ef470de68e862d2fc2c31f92f2f7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6d9ee6cdc0edf830ff07a1889e2044e1804d4a5bfb1d414a2184a2c947a87c48
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43F1A270A1DB494FD769DB68C0A167ABBE1FF95304F04467DE48AC3292DB34E942C781
                                                                                                                                                                                                                                          Function 00007FFD9B6153A0 Relevance: 7.2, Strings: 5, Instructions: 982COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 8 w$8 w$@ w$@ w$I9_H
                                                                                                                                                                                                                                          • API String ID: 0-2746781665
                                                                                                                                                                                                                                          • Opcode ID: e9ca2fa150283a29332ae750880933c67657cd15bd88ea068ee3ccf54337fe12
                                                                                                                                                                                                                                          • Instruction ID: c0c454a731e66b6d955a9383230fcb64f120f435af35c2f79ec8854c53bb9356
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e9ca2fa150283a29332ae750880933c67657cd15bd88ea068ee3ccf54337fe12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48621431A1DB8A8FE7A8DF688465A69B7E1FF98300F55047DD059C72A2DE38F841C741
                                                                                                                                                                                                                                          Function 00007FFD9B413B18 Relevance: 1.7, Strings: 1, Instructions: 432COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: 63caf41560070a30229027828cf4033a311745bc82047617c4b6afd2e02662e7
                                                                                                                                                                                                                                          • Instruction ID: 69d0a21fa24740e11397d56aafb46d210f87bbcc2f646c230c5c40087e9c627a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 63caf41560070a30229027828cf4033a311745bc82047617c4b6afd2e02662e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1CD13230B1DB494FD728EB5C94515B5B3E1FFA6318B14467ED08E832A6DE25F8428B81
                                                                                                                                                                                                                                          Function 00007FFD9B41447A Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: d49eba7e38303e3084098224f5f886016c2f25c1599c96d00d8e45756efcd91f
                                                                                                                                                                                                                                          • Instruction ID: 190992308f077dbfd097cbd68601639ef84a2bda07b28db5ff9cc27f79dab6ab
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d49eba7e38303e3084098224f5f886016c2f25c1599c96d00d8e45756efcd91f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 28C11530B1DB8A4FD769DB588464535B7E1FFA6308B1506BED08EC31A6DE35F9028B81
                                                                                                                                                                                                                                          Function 00007FFD9B40A01D Relevance: 1.6, Strings: 1, Instructions: 390COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: 'R_L
                                                                                                                                                                                                                                          • API String ID: 0-835780197
                                                                                                                                                                                                                                          • Opcode ID: 105db3042f8d42adb3917935f5e8a635c383f9889e2e2c3e7956a104e47d2c29
                                                                                                                                                                                                                                          • Instruction ID: 6f8cb1aebbf217e8d7481b0a51b60c005cb233ac32d83df5801e4fac61eab98f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 105db3042f8d42adb3917935f5e8a635c383f9889e2e2c3e7956a104e47d2c29
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 79B13771B0DA090FE7A4EBBCA429AB977D1EFE832074501BFD04DC72A2ED189C468341
                                                                                                                                                                                                                                          Function 00007FFD9B4103C5 Relevance: 1.6, Strings: 1, Instructions: 339COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: d
                                                                                                                                                                                                                                          • API String ID: 0-2564639436
                                                                                                                                                                                                                                          • Opcode ID: b0a0f93fca90354cc6a62ff06ced91f40c7db7054ebaa687e22e2cfd7716441b
                                                                                                                                                                                                                                          • Instruction ID: 9ec0db67c0b1df9826e68c87871e8ada6544575d5f54147825fddc90eac18378
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b0a0f93fca90354cc6a62ff06ced91f40c7db7054ebaa687e22e2cfd7716441b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 52B1DF70B1CB098FD768DB0CD4A1535B3E1FFA8704B144A7DD48A836A6DA35F8438B81
                                                                                                                                                                                                                                          Function 00007FFD9B621706 Relevance: 1.6, Strings: 1, Instructions: 302COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X"w
                                                                                                                                                                                                                                          • API String ID: 0-549086922
                                                                                                                                                                                                                                          • Opcode ID: bf037e8d2e74d146bf463cc8e487d80fcb46780acfd9cecb70d9804471a043b8
                                                                                                                                                                                                                                          • Instruction ID: 436dd6b10d3dad1b4738613ee642d8b18879aaaf3d752f3a091f4328b1ba10ef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bf037e8d2e74d146bf463cc8e487d80fcb46780acfd9cecb70d9804471a043b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 44916831B0EB4D0FEB659B68D46567577D1EF89320F0501BEE48DCB2A2DD29AD42C382
                                                                                                                                                                                                                                          Function 00007FFD9B61667F Relevance: 1.5, Strings: 1, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: :9_H
                                                                                                                                                                                                                                          • API String ID: 0-3494679039
                                                                                                                                                                                                                                          • Opcode ID: 57362d01db7ed3451cf8e017db4cd82f9a2df41d5d7dc57cc538e608ca804f15
                                                                                                                                                                                                                                          • Instruction ID: ab0808ab1ec89e2528de7f91ff8fe3b3be6c44b99549b0136354e6b0a9f4cbef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 57362d01db7ed3451cf8e017db4cd82f9a2df41d5d7dc57cc538e608ca804f15
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 84711A75B19A0E4FEBA8DFA884656B877E1FF54300F1140BED41DC72A6DE28BD428B40
                                                                                                                                                                                                                                          Function 00007FFD9B619AF2 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: K+_^
                                                                                                                                                                                                                                          • API String ID: 0-2788485007
                                                                                                                                                                                                                                          • Opcode ID: da34c402eea7b45275121f35fa89e40fda9022cc0a1ea00fb4d3e83951697daa
                                                                                                                                                                                                                                          • Instruction ID: e0c33ab8c8bad664753c985bbda23d4bb824fb176c1198f8f7e6c0ab25871ef9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: da34c402eea7b45275121f35fa89e40fda9022cc0a1ea00fb4d3e83951697daa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7651A132B0EB0A0BE768AA5D64A61F273D1FF95324B04417ED49DCB1E7DD24F8438681
                                                                                                                                                                                                                                          Function 00007FFD9B40D0C0 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: ^L_^
                                                                                                                                                                                                                                          • API String ID: 0-3269914177
                                                                                                                                                                                                                                          • Opcode ID: b843a1c7995cf7b898578276c736d63d8f93f810d3c17a2f718e8d0002da23e9
                                                                                                                                                                                                                                          • Instruction ID: c146498ffa595901014205d1127edf3c2fbb282af9992a3a9ef084087ef2a58b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b843a1c7995cf7b898578276c736d63d8f93f810d3c17a2f718e8d0002da23e9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D351B622B1D7954FD302B7B8A4761E83FB1EF4223570942F7C189CB0E7E95828868396
                                                                                                                                                                                                                                          Function 00007FFD9B40813C Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: X
                                                                                                                                                                                                                                          • API String ID: 0-3081909835
                                                                                                                                                                                                                                          • Opcode ID: 8fd1dec60d196869ed9b337091f9637d2edcd709b5cd6c5864a48b58bf377ea6
                                                                                                                                                                                                                                          • Instruction ID: e09e02271f94733d1f52a509cd53d9bebb6f638b537a3686d3dc283b39c3fc37
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8fd1dec60d196869ed9b337091f9637d2edcd709b5cd6c5864a48b58bf377ea6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF614B70E0A65E8FDB64DBA8C8647EDBBF0AF55314F5001B9D049A72E2DA381985DB01
                                                                                                                                                                                                                                          Function 00007FFD9B402F45 Relevance: 1.4, Strings: 1, Instructions: 156COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: _N_H
                                                                                                                                                                                                                                          • API String ID: 0-2366302235
                                                                                                                                                                                                                                          • Opcode ID: 8d917d6eddf9ad79573ddbe75fd1824373e8a2aac8d15bb698594056e46f065e
                                                                                                                                                                                                                                          • Instruction ID: 4897f1112233011d6526e8e9770088809bdc1529f4d6294ecff30685dda08776
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d917d6eddf9ad79573ddbe75fd1824373e8a2aac8d15bb698594056e46f065e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 45510770A09A1D8FDF94EFA8C864AEDBBF1FF59304F55016AD40DE3291DA35A941CB40
                                                                                                                                                                                                                                          Function 00007FFD9B403048 Relevance: 1.4, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: YG_H
                                                                                                                                                                                                                                          • API String ID: 0-2813365320
                                                                                                                                                                                                                                          • Opcode ID: 8f250580f2bb8aac3672879a3fd3418182c42c2f96a4d70dab0ce58dc69b2013
                                                                                                                                                                                                                                          • Instruction ID: 5c14c95a172360ed77e00eaa9b1f5eb4e0946609c82941c07badbfa340602f62
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8f250580f2bb8aac3672879a3fd3418182c42c2f96a4d70dab0ce58dc69b2013
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2741E571A05A4D8FDB88DF58C864AEE77F2FF98314F00013AE449E32A5CB74A945CB80
                                                                                                                                                                                                                                          Function 00007FFD9B619B30 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: K+_^
                                                                                                                                                                                                                                          • API String ID: 0-2788485007
                                                                                                                                                                                                                                          • Opcode ID: d80729297fd8a052781a372ac366c353ae77e3989cc71ac9ae173bb581357ea3
                                                                                                                                                                                                                                          • Instruction ID: 0f4c5d809449142dc5286bbd94e2e367b18600e6cb6b14105c57edb22a0ff8ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d80729297fd8a052781a372ac366c353ae77e3989cc71ac9ae173bb581357ea3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2C31AC31B0EB0A0BEB78AA5D54656B233E1EF95320F05417ED45DCB1E3DD24B8838781
                                                                                                                                                                                                                                          Function 00007FFD9B40CFF7 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: tL_^
                                                                                                                                                                                                                                          • API String ID: 0-225026331
                                                                                                                                                                                                                                          • Opcode ID: 7d9e99be396e9bb7d9d2eefc0473f036779b0a5bdc6da7b930e49b336914157b
                                                                                                                                                                                                                                          • Instruction ID: 9dd67a3a901ac69547e998aa96eacdaa6f5742c87e03245c13e927e8839d8bf5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7d9e99be396e9bb7d9d2eefc0473f036779b0a5bdc6da7b930e49b336914157b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA314C23E0A15A4BD721B76CE8A55F93BA0EF41328B090277D4DDCB1B7DE14658A8681
                                                                                                                                                                                                                                          Function 00007FFD9B40CDF3 Relevance: 1.3, Strings: 1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Strings
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID: vL_^
                                                                                                                                                                                                                                          • API String ID: 0-2808113552
                                                                                                                                                                                                                                          • Opcode ID: b1243210907eea408675af81b256cf6a55f27dcc90b5b583fe78caa01b86c08c
                                                                                                                                                                                                                                          • Instruction ID: caacf14c1acecbbd8d2776dd5d1c567c2a68deb30276f0f824c41778772b49e2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1243210907eea408675af81b256cf6a55f27dcc90b5b583fe78caa01b86c08c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8521B472A4E6895FE3559B7C9C1A0B97FE0EF9623470505BFE4C5CB1A3DE1418568380
                                                                                                                                                                                                                                          Function 00007FFD9B40D250 Relevance: .8, Instructions: 759COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bc78682d85e5f69ae30cd19b53b0a82c50ca0e7b683b6501a21568035b37bbc7
                                                                                                                                                                                                                                          • Instruction ID: e63c315cbf67a7b7702abf926322335ebbd989db93831abf59995743203fe285
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bc78682d85e5f69ae30cd19b53b0a82c50ca0e7b683b6501a21568035b37bbc7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6C327D32F1995E4BE728A7AC98616F877A1FF50318F1401BAD4CEC71E7ED2878468341
                                                                                                                                                                                                                                          Function 00007FFD9B40CFC5 Relevance: .7, Instructions: 699COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9416b5c06b6914c9c16ea6bd324059446121861b3ba0951a227f00e29c539ccc
                                                                                                                                                                                                                                          • Instruction ID: 008b90c47229fb96e59beee87496c8c9d008929b7d7a4e49a81d4a9a5cf61a72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9416b5c06b6914c9c16ea6bd324059446121861b3ba0951a227f00e29c539ccc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3E224530B1D74D4FD728CBAC84A563977E1EFA5714F25457DE0DAC32A2DE28E8028742
                                                                                                                                                                                                                                          Function 00007FFD9B61C286 Relevance: .6, Instructions: 623COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 42eb1e0d0e0ebc2ee5db2b1e08b06350c5634755a6c82a92319e4b66cabf02be
                                                                                                                                                                                                                                          • Instruction ID: 70f9dc31292cd09992bb9eea4e806038897e88fb118dcf54faf9602eb6610f83
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 42eb1e0d0e0ebc2ee5db2b1e08b06350c5634755a6c82a92319e4b66cabf02be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EF024761B1EB8E0FE7A99B7848A55797BE1EF55310B0505FED0A9CB1E3DE18BC028341
                                                                                                                                                                                                                                          Function 00007FFD9B40AB08 Relevance: .6, Instructions: 587COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f9bca33c9307172897a496c369c9c489abf1c267cad60e132520d60585faa4b
                                                                                                                                                                                                                                          • Instruction ID: 1c065116fee6757d5cfac820a44fbd293d35473e847a1ceaf3ecc7e91732b06e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f9bca33c9307172897a496c369c9c489abf1c267cad60e132520d60585faa4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E7F13921B1EE4E0FEBA9DB6C846967477D1EF95344F0501BAE48DC72E3DE18AD028345
                                                                                                                                                                                                                                          Function 00007FFD9B40DE20 Relevance: .5, Instructions: 545COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eec76483f17bbf0fdd38a13b2bbffde03f2496b1d5bf4529f750ee57ca123dac
                                                                                                                                                                                                                                          • Instruction ID: 517ce4c23302cc627d2c027ffd281c56f8af655deafc7d8c2962021a92ba6e94
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eec76483f17bbf0fdd38a13b2bbffde03f2496b1d5bf4529f750ee57ca123dac
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5DE17B31B1DA494FE758EB6CC86557977E1EF99310B0541BEE0CEC72A7DE28AC428341
                                                                                                                                                                                                                                          Function 00007FFD9B406FF2 Relevance: .5, Instructions: 535COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6a7436ef169994b02eb8fb3852249d4e09b9a3b6bb0ae0649d9205c2fdc2221d
                                                                                                                                                                                                                                          • Instruction ID: 853ebd559391b29fb39d2cc1e1b67b24f503c949dfdd3ba16fcab6a1e8d800cb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6a7436ef169994b02eb8fb3852249d4e09b9a3b6bb0ae0649d9205c2fdc2221d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94E16823B1E55A0BE31577BCA8265F87FA1FF91374B0842B7D09CCB0E7CD1864868282
                                                                                                                                                                                                                                          Function 00007FFD9B61FC8E Relevance: .5, Instructions: 534COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 99d9354b0b49ea904df2ecb9ece437efa8f8d27477463878fdbf54deee6b610d
                                                                                                                                                                                                                                          • Instruction ID: 15040ed44b945b75a7cb9c8a896f06cb4bae30437b838e881d07d75e3772b25a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 99d9354b0b49ea904df2ecb9ece437efa8f8d27477463878fdbf54deee6b610d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1502D871A29A4E4FEBA9EF6884619B973E1FF54310B1541BAC01AC71D6DE28FC42CB40
                                                                                                                                                                                                                                          Function 00007FFD9B40A7FA Relevance: .5, Instructions: 496COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: eba966cdb5ca34080507ff9f4a978749affc65398a5d5555278deda895d42b59
                                                                                                                                                                                                                                          • Instruction ID: 84a57df163e8ff4c0513031f042268aa8983b28a99f87fda991e93f188f559fe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: eba966cdb5ca34080507ff9f4a978749affc65398a5d5555278deda895d42b59
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FBE14A13B0FA9A1BE72563FCA8614FD3F61EF412B8B0903FBC1D8460E79C09654A5392
                                                                                                                                                                                                                                          Function 00007FFD9B621245 Relevance: .5, Instructions: 454COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cf83ca64ab467df757f853c6aa13752907021775da5e01a37db3da80faf50220
                                                                                                                                                                                                                                          • Instruction ID: 75e259fc912ecf3666c07d83dd50311449c45c0e4e1b7aec0a63b0b1ea572bd4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cf83ca64ab467df757f853c6aa13752907021775da5e01a37db3da80faf50220
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2E15A31A0DA4D8FDF94EF58C4A4AA937E2FFA8344F150169E45DD72A5CE30E942CB81
                                                                                                                                                                                                                                          Function 00007FFD9B611B64 Relevance: .4, Instructions: 438COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 31a70de6dd366bcd7cdd49407eebc6e97bb87b633d45d14e8b1d69ad11bd9caf
                                                                                                                                                                                                                                          • Instruction ID: ddf8100266a1cb8e68928807fecfadc34ed3c0fe9e3c806d41eada2d9c3e9e17
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31a70de6dd366bcd7cdd49407eebc6e97bb87b633d45d14e8b1d69ad11bd9caf
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AED1C530B19A494FDBA8EB6CC465BB977E1FF98300F0545B9E05EC72A6DE28BC418741
                                                                                                                                                                                                                                          Function 00007FFD9B40D9E9 Relevance: .4, Instructions: 436COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cc44d615dd2e3599d9aecb3ec60d986dd22c92f06dffbd2aad04524590b28697
                                                                                                                                                                                                                                          • Instruction ID: 75041db425adde47ec850a067399e2569f6b1d73e9be5127568c139abb1032de
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc44d615dd2e3599d9aecb3ec60d986dd22c92f06dffbd2aad04524590b28697
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BDD1773170DB4D4FDB68DB58D851A65B7E1EFAA310F05027ED48DC32A2DE26A846C782
                                                                                                                                                                                                                                          Function 00007FFD9B40A6D0 Relevance: .4, Instructions: 403COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5b4ab6a1964f3bfa57414d18c052eeba361e080a4a542f33278ba8b918c7f234
                                                                                                                                                                                                                                          • Instruction ID: a984e5dbd9ba9ee89fc094b1ae93bcc99e085d4d5a3cfc226defd748c9016880
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5b4ab6a1964f3bfa57414d18c052eeba361e080a4a542f33278ba8b918c7f234
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EB19E22B1DA4A0FE7199B5CE8625F937D1EF9536870502BBD0DDC31E3ED18A9074345
                                                                                                                                                                                                                                          Function 00007FFD9B61063D Relevance: .4, Instructions: 370COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 24f451cb5ce588712801ce6cacb01c67fd44d448774501439651cc4cdce42255
                                                                                                                                                                                                                                          • Instruction ID: da02a49249f74d3f8570c3c497b5f58b36bbe1be81f5f3e038fe5e6202a75099
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 24f451cb5ce588712801ce6cacb01c67fd44d448774501439651cc4cdce42255
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 77B12822B1EA8E0FEBA59B7C58752797BD1EF99710B0900BED059CB1E3DD187C428381
                                                                                                                                                                                                                                          Function 00007FFD9B409F9D Relevance: .4, Instructions: 365COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 259c4077263c6b3f13b0452bb1b0595404bbb0906e59ce7549a588fcc047fac8
                                                                                                                                                                                                                                          • Instruction ID: 446cb9d6ed812202ac68b54116340c5f96a82eb95c3648dd6e2647e6f6e626d6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 259c4077263c6b3f13b0452bb1b0595404bbb0906e59ce7549a588fcc047fac8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 90A16B62B0EA890FE7A596FC58752B47BE1DF99274B0901FBD48CC71E7ED086C429341
                                                                                                                                                                                                                                          Function 00007FFD9B4086DA Relevance: .3, Instructions: 348COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 17fb6e0dac0881e05f16011359597a367ed00aeddd338888e4264dcf74f7679f
                                                                                                                                                                                                                                          • Instruction ID: b084f4b355a5ad61ac315e091437ada14680ad941f5ec623e4cf01dbe67e49d1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 17fb6e0dac0881e05f16011359597a367ed00aeddd338888e4264dcf74f7679f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B6C11731E0F65E4FEB649BA4C8657E87BF0EF46314F0502BAD08DD71A2CA381946DB42
                                                                                                                                                                                                                                          Function 00007FFD9B413BF8 Relevance: .3, Instructions: 330COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 89a3aca740520a2177c09422116cfebf33ace19dbcfc7c0a1866adcb1333198b
                                                                                                                                                                                                                                          • Instruction ID: f1c72e23006dfa75d21364c70b5aa4b71550dbf3f048ed13ea15df7b956625d5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 89a3aca740520a2177c09422116cfebf33ace19dbcfc7c0a1866adcb1333198b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AEA13230B0DB098FDB69DB6CC4A0AB177E1EF65314B1505BDC08EC72A6CA25F842CB80
                                                                                                                                                                                                                                          Function 00007FFD9B40DE79 Relevance: .3, Instructions: 328COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 18fba6687dbf0a83cd90493adff65e2d54ceae4fa4de6e950bb5913e7e9c3651
                                                                                                                                                                                                                                          • Instruction ID: fa951eb75cb0ad76b21f65261c7562fefcebee38ebbee8d1c80a6839b45986e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 18fba6687dbf0a83cd90493adff65e2d54ceae4fa4de6e950bb5913e7e9c3651
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F5916971B1DA890FE758EB6C986597537E0EFA9314B0141BEE4CDC32A3DE18EC428341
                                                                                                                                                                                                                                          Function 00007FFD9B610B1C Relevance: .3, Instructions: 322COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 64b81778c34018ce877fe03dd0b0576c9a2b43787e10ab728f78160a3f09c740
                                                                                                                                                                                                                                          • Instruction ID: 9b36e07a74b8dabbcf59349f087f1d98fbf0e6de653db3fec6b03182735153ba
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 64b81778c34018ce877fe03dd0b0576c9a2b43787e10ab728f78160a3f09c740
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D2912621B0EA8E0FEBA99B7C487457977D2EF99614B4500BED449CB2E3DD18BC428741
                                                                                                                                                                                                                                          Function 00007FFD9B61EB4D Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fb8e2d03d8e79a61781767759b5dd33ed5af65668abab91f60ef1dd380373724
                                                                                                                                                                                                                                          • Instruction ID: 1c1ec57a00fd66ae25ed7b2bf03a84f472702c2ebb5e68b52aacd762f0acf624
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fb8e2d03d8e79a61781767759b5dd33ed5af65668abab91f60ef1dd380373724
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59A12531F0E68A0FE329976888651B87BD1EF86310B1551BED4EECE1E6DD2CB5468341
                                                                                                                                                                                                                                          Function 00007FFD9B415B70 Relevance: .3, Instructions: 317COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8a15d4e7e23a0cec72f8969a6715ef544eb3d6254abb0cbaa2db9693c0a3ccc
                                                                                                                                                                                                                                          • Instruction ID: 2f62e1c317a7c4b0fb07e79853c23388f68cf074c855e637c625fdc7b837eda3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8a15d4e7e23a0cec72f8969a6715ef544eb3d6254abb0cbaa2db9693c0a3ccc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9481F052F0FC1E4FF7B596AC18782B413C1EFB8699B2651B7D48DC72A1EE18AD065380
                                                                                                                                                                                                                                          Function 00007FFD9B617BC9 Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e152b4c9852c5c7370d7dccb86966ee08a7d78f82fdcfd4902e95295470e4430
                                                                                                                                                                                                                                          • Instruction ID: 5c2c37114eac4aa83bb8828c72bd05f7be16f74d58ddf2982e414756daad271f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e152b4c9852c5c7370d7dccb86966ee08a7d78f82fdcfd4902e95295470e4430
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF9147B1A0FA8E4FE756DB7884656B17BE1EF55310B0900FAC459CF2A6DD19BC428341
                                                                                                                                                                                                                                          Function 00007FFD9B612EFA Relevance: .3, Instructions: 316COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c78a3373075cdb72803c13b241d02bdf17684b8ffaf16d714823f5e5940a8451
                                                                                                                                                                                                                                          • Instruction ID: 1e0b11128d6629615a466fd338a6b74084d8f50a99d3ed28b74d92c0bb2ef1d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c78a3373075cdb72803c13b241d02bdf17684b8ffaf16d714823f5e5940a8451
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4E91D631B0991D5FDBA4EFACD465AE837E1FF58310B45517AD09ECB2A2CE28F8458740
                                                                                                                                                                                                                                          Function 00007FFD9B581A42 Relevance: .3, Instructions: 313COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2469208746.00007FFD9B580000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B580000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b580000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 13496d52c6e72b26565e523c28cde81669df8bb0782a99e9765dbff38fe6d64e
                                                                                                                                                                                                                                          • Instruction ID: 7b7131428decdb6596d494f6e7263f27f84c24868381c6c1a25ffd0fed05eade
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 13496d52c6e72b26565e523c28cde81669df8bb0782a99e9765dbff38fe6d64e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9291A37290FBC94FE7939BB488755A53FF0EF17601F4A05EBC484CB1A3E928A9468711
                                                                                                                                                                                                                                          Function 00007FFD9B40E970 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1df5c1ed484ea0f611e0c43f0188403eb491a3ef47bd0246ada991056ad4115
                                                                                                                                                                                                                                          • Instruction ID: b031a9a6cba55cd1754b6907283e0c3a87eeeddfc6fa21b925ad3c171b69a674
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1df5c1ed484ea0f611e0c43f0188403eb491a3ef47bd0246ada991056ad4115
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A5814D72B0DD1D0FE7A8E75C98657B933C2EFA8364B0601B6E44DC72A6DE199D434340
                                                                                                                                                                                                                                          Function 00007FFD9B414894 Relevance: .3, Instructions: 309COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5fa67471e16107dfd9d5361e6a0572cea26c7815a6ead564331c9ef646ceaed1
                                                                                                                                                                                                                                          • Instruction ID: a49896990c1d5d5a00eeb60c030c481093eb280f9a66c59ef386e1d4a8547a72
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fa67471e16107dfd9d5361e6a0572cea26c7815a6ead564331c9ef646ceaed1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55913531B29B4A4FD768DF6894A15B673E0FF66314B11167DD09AC31A6EE34F8428B80
                                                                                                                                                                                                                                          Function 00007FFD9B61A286 Relevance: .3, Instructions: 303COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cd93ed001cb7392174e899bc8b83b74fccfb3ec37841998c6376b9f802aca942
                                                                                                                                                                                                                                          • Instruction ID: dca9f2596e9dab048808b4bb056ffc630a66accdc52fe09154773b365f29b7f8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cd93ed001cb7392174e899bc8b83b74fccfb3ec37841998c6376b9f802aca942
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B91C3A2B1EE4F4BEBAC9B6C54B567563C2EFA434074550B9D07ECB1E6ED29FC018240
                                                                                                                                                                                                                                          Function 00007FFD9B413C20 Relevance: .3, Instructions: 297COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 318711d7accaf58f411d7cf4ae2f9a59b4b2bafc8677ca6f6de3716b0cb0e2dc
                                                                                                                                                                                                                                          • Instruction ID: e5f0c47fd68782c8f80c59ec60a2f6e7f5debc6a6e0fa93348c5a0b703685f15
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 318711d7accaf58f411d7cf4ae2f9a59b4b2bafc8677ca6f6de3716b0cb0e2dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 93916A30B1EB494FD728DF6894955B577E0EF62314F15167ED48AC32A2DE34F4428B81
                                                                                                                                                                                                                                          Function 00007FFD9B6137C5 Relevance: .3, Instructions: 296COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c7c100e5867e7af33c445a519a58046d4950ca0cceac1d6fb895cbfabd16065d
                                                                                                                                                                                                                                          • Instruction ID: 95e1935b2aa0f62586d2b709cef295f1c01314152cb9077d7a9defcf82fa7f33
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c7c100e5867e7af33c445a519a58046d4950ca0cceac1d6fb895cbfabd16065d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7781B23070E9494FDBB9EB6C94656793BD0EF4931071610FEE49ACB2A2D918EC428781
                                                                                                                                                                                                                                          Function 00007FFD9B4073E1 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 93a5cfccc7f4be516281876f724d26608dd2f39e9fcdd573e865ba0402bf95fa
                                                                                                                                                                                                                                          • Instruction ID: 96e366dce5bcd2a338d9c677858e4337be2b33995263204b2ca64768616a5db4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 93a5cfccc7f4be516281876f724d26608dd2f39e9fcdd573e865ba0402bf95fa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3B10770E0961D8FDB94DFA8C4A4BADB7F1FF59314F1541AAC04DE72A1CA38A981CB41
                                                                                                                                                                                                                                          Function 00007FFD9B40D469 Relevance: .3, Instructions: 294COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0626dc30bfa16eb5a0ea1f158fe809d43290a23d43ac969a601c571d643d12d0
                                                                                                                                                                                                                                          • Instruction ID: af7dbc427637feecc74c83f2c47b24790d15a47a33bbf6f4ce22007207e6d6f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0626dc30bfa16eb5a0ea1f158fe809d43290a23d43ac969a601c571d643d12d0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 99A18171F18A4D4FEB98EB98D8657ECBBA1FFA8314F1402B9D45CD3196DE2828418742
                                                                                                                                                                                                                                          Function 00007FFD9B616410 Relevance: .3, Instructions: 290COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 302f69e4117d9e27071b0d32948503305ce5e647f74991b305a1230a5d153aa3
                                                                                                                                                                                                                                          • Instruction ID: 20de5dfb4509fada024ac6a3c835a7a9a4c97ccc0335a3a5122b0c7a3c9fc98a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 302f69e4117d9e27071b0d32948503305ce5e647f74991b305a1230a5d153aa3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 07815771B1DA4E4FEB6CABA894695B977D2EF94310B4401BDE02EC71E7DD29BC018740
                                                                                                                                                                                                                                          Function 00007FFD9B407DB9 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c2ed5507ced3a36b45678b85d63954cc75a38a45b7085e6e51f94a94b8e59266
                                                                                                                                                                                                                                          • Instruction ID: cdc901fd672749f25ad1f57858c2871e4f32b8c8e28cebb75c5b8a1351bc4c9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c2ed5507ced3a36b45678b85d63954cc75a38a45b7085e6e51f94a94b8e59266
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31910572E0AA4E4FEBA4EFA8C8656ADB7E1FF54344F01057AE059D32D2DE386D018741
                                                                                                                                                                                                                                          Function 00007FFD9B6184C0 Relevance: .3, Instructions: 284COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a04beff30df45edededd9cf638bc5c292d2d5d07384f9435dd819a01520e8948
                                                                                                                                                                                                                                          • Instruction ID: 07221946e4e18d1f8debe61e9ee85ffd125aecf800586d485b7d36837122334a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a04beff30df45edededd9cf638bc5c292d2d5d07384f9435dd819a01520e8948
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0691FB31B0EA4E4FE7A5DB68883476977E2FF95310F1901BAD05DCB2A6DE28AC41C741
                                                                                                                                                                                                                                          Function 00007FFD9B40A015 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1260b5c3ca1d42759bfce58183bdb73491d3f30c8becf52b43e8ad1173ef5c87
                                                                                                                                                                                                                                          • Instruction ID: 6f6a1d16964b16f8cb79214cd7b1a6280054e281a1233ff87d59a4f8931a3653
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1260b5c3ca1d42759bfce58183bdb73491d3f30c8becf52b43e8ad1173ef5c87
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6B817872E0EF8E0FE7A4AB588029765B7D1FFA4360F04057ED04DC71A2DE28B9829741
                                                                                                                                                                                                                                          Function 00007FFD9B404610 Relevance: .3, Instructions: 282COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a53d086a0bf9e041c247c7f98d80e1600d70202ca536840e3f792299cd25bc3e
                                                                                                                                                                                                                                          • Instruction ID: bccf3b5c09636570d5c44f187656fde97ea0c33cb1b911bec3aed5b768e06857
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a53d086a0bf9e041c247c7f98d80e1600d70202ca536840e3f792299cd25bc3e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B3A12B71A09A8E4FDB84EF68C854AEDBBF1FF55304F1406BAD448D71A6DB34A846C740
                                                                                                                                                                                                                                          Function 00007FFD9B414BF0 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8a1529017e43da73709966c56b82f454a9d60ba128b2fd062ea8989234e351a7
                                                                                                                                                                                                                                          • Instruction ID: 62348fac99514f64ae8fd90aa9e3c3725796d9352366356aedbbcbce579eb138
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8a1529017e43da73709966c56b82f454a9d60ba128b2fd062ea8989234e351a7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FA710B21B0ED5D0FE7B9D76C84746B937D1EF99254B0A01FED04DC72A6DE08AD428781
                                                                                                                                                                                                                                          Function 00007FFD9B614BC9 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f6510ab1b7496dc197a138acad1792830a59478525221a966e65d93c87f1f4aa
                                                                                                                                                                                                                                          • Instruction ID: f4c554ca67c717d73e7fc1092dbdde62047daf53cf49daca5dbb0a1f625775c5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f6510ab1b7496dc197a138acad1792830a59478525221a966e65d93c87f1f4aa
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E671B332B0A94E4FEFA5EB6CC4686A877E1FF69350F05017AD459C72A1DE29BC41CB40
                                                                                                                                                                                                                                          Function 00007FFD9B622E48 Relevance: .2, Instructions: 248COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 44eb3bbc514b1876d2534a779781a09f881e42783d33e4e478a06f19a3284e44
                                                                                                                                                                                                                                          • Instruction ID: b60adfea3b98cd2b13914ae156ca0094405a13ff138d1784505c44f53ac08adf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 44eb3bbc514b1876d2534a779781a09f881e42783d33e4e478a06f19a3284e44
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AF81B870B0D64E8FDF95DF68C4A59A87BE1FF69310B0500B9E459CB2A2DA34EC41C741
                                                                                                                                                                                                                                          Function 00007FFD9B40403E Relevance: .2, Instructions: 241COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f8ee394cd7e8005092b343669a48ac0171cc3b37b27027b730c8e244ea7d8913
                                                                                                                                                                                                                                          • Instruction ID: 6fdc9357e6206e6597e2e25609bcca44f0981d0986d29685cdb59cb6dfa599d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f8ee394cd7e8005092b343669a48ac0171cc3b37b27027b730c8e244ea7d8913
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 74812671E0E64D4FE724DBA4D8656FCBBB0EF52318F4502BDC08D9B1E2DA2829469781
                                                                                                                                                                                                                                          Function 00007FFD9B40D76E Relevance: .2, Instructions: 233COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c200b7a733434747294742517eaf059217b945a9845012bd9f88cd7e46ed48d5
                                                                                                                                                                                                                                          • Instruction ID: 8d8396e163c9f552175817fac6a393a19a4423435fb09120e46a99437ea29d20
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c200b7a733434747294742517eaf059217b945a9845012bd9f88cd7e46ed48d5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA518B73A0EA4E4FE7659AACDC661B97BD0EF81334B0101BBD499C71E2DD2C2C468381
                                                                                                                                                                                                                                          Function 00007FFD9B61E8A8 Relevance: .2, Instructions: 231COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 12373bdcaa9b31e70e092aece6e4c08dcd0bce78d9197bbab6a98716d8b12deb
                                                                                                                                                                                                                                          • Instruction ID: da9db720ff161a2b0d51f7795ce0867ca12b4f27690edcc7dbb08cdcfc1303dc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12373bdcaa9b31e70e092aece6e4c08dcd0bce78d9197bbab6a98716d8b12deb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66710570D08A5C8FDB98DF58C885BE9BBB1FB69300F1092AAD04DE3255DB74A985CF41
                                                                                                                                                                                                                                          Function 00007FFD9B615360 Relevance: .2, Instructions: 229COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5fd3375d9dffbbe4d427d2739a8c712ea99a4d7ca6322f5f72dc67916cd2ad12
                                                                                                                                                                                                                                          • Instruction ID: 9bb7b099fb79fa7d1777e99c446a752e4e39a8c46335073e42a7bb02dfa22668
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fd3375d9dffbbe4d427d2739a8c712ea99a4d7ca6322f5f72dc67916cd2ad12
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3D712631A2DB894FD7A9EB68C469AA6BBE0FF55300F05017DD09DC71A2DE74B841C741
                                                                                                                                                                                                                                          Function 00007FFD9B408D32 Relevance: .2, Instructions: 228COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7332c8f8231d57cb20ba5febd5dda065e81706eae33ad549ba20c680910f9cd8
                                                                                                                                                                                                                                          • Instruction ID: e26425205f072189f4df886725bd7415fee5b81ccde5ca1c46c085d28a966a33
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7332c8f8231d57cb20ba5febd5dda065e81706eae33ad549ba20c680910f9cd8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E271CE7090E64D8FDB95DBA4C825AEDBBF1FF5A310F1001BED049D72A2CA395981CB51
                                                                                                                                                                                                                                          Function 00007FFD9B404667 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f001f5abd96bd6fab621a27da0cd997e79ae8012ef2dce9f6da12727e46192e
                                                                                                                                                                                                                                          • Instruction ID: f3026b14105b6ed107cb8a85e71cb7c9e6d7961605c452dbf1f47531e43a7711
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f001f5abd96bd6fab621a27da0cd997e79ae8012ef2dce9f6da12727e46192e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2681D970A09A8E8FDB84EFA8C855AEDBBF1FF58314F1401B9D459D72A6DB349842C740
                                                                                                                                                                                                                                          Function 00007FFD9B408A55 Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 32a6122fcd403503a6c9d6daa00de6dac933c43de8e8ff852b0d12bfd1543ff1
                                                                                                                                                                                                                                          • Instruction ID: 0faea7f09f03e2a09f10da563fd60a0c8ce48516e98fd437882b8f8abb8d20f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 32a6122fcd403503a6c9d6daa00de6dac933c43de8e8ff852b0d12bfd1543ff1
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F9710470E0F68D4FDB659BA4D8256E9BBF0EF06314F0501BED089DB5E2CA2C1981CB52
                                                                                                                                                                                                                                          Function 00007FFD9B40E9FA Relevance: .2, Instructions: 226COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4f91689514a7d83262d72613fa541ea2b8fcef413136527cd9d813e8114fc691
                                                                                                                                                                                                                                          • Instruction ID: 3ff0324f459da4842c098d876a8962d836d7f0ed95eabbadb29588198a77e4d2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4f91689514a7d83262d72613fa541ea2b8fcef413136527cd9d813e8114fc691
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7D515B22B0E98E0FE77496AC94692B67BD1EF9967471502FBD08DC72A2DD189C069380
                                                                                                                                                                                                                                          Function 00007FFD9B40E648 Relevance: .2, Instructions: 213COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ffe358d225db61e321ccf550a72f7fb8b959d032b7cf8b424e4232eea58e5be
                                                                                                                                                                                                                                          • Instruction ID: 20bf93bd09f2b581aa2d2f47c1b91e3737660af5ad9ca3c94a3c3c990fbf6103
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ffe358d225db61e321ccf550a72f7fb8b959d032b7cf8b424e4232eea58e5be
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 65511430B1EA0E4FD7689B9CD89497173E1FFA9718B15067ED44DC3262EE25F8428780
                                                                                                                                                                                                                                          Function 00007FFD9B615388 Relevance: .2, Instructions: 210COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 70e6d35d6047f71381033e2ef0cfa032ffab2bb472c364269ec5849099452a55
                                                                                                                                                                                                                                          • Instruction ID: 153c98f285efb1ed2d4dc7d78babbdca4849b11f5bea0e28ceb62bf42048a5e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 70e6d35d6047f71381033e2ef0cfa032ffab2bb472c364269ec5849099452a55
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CA61E531A2DB8D8FD7A9EB688469A66BBE0FF58300F05047DD499C72A2DE74B841C741
                                                                                                                                                                                                                                          Function 00007FFD9B413F5D Relevance: .2, Instructions: 204COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dd6004aac7001890d8d147e9afc4cf76ad8c35b6048a400435ab2deda39f7819
                                                                                                                                                                                                                                          • Instruction ID: 51587f37dd1e7dac30ad99d5b7a92f9997602c8fc0ce327ff3509f93697aadef
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dd6004aac7001890d8d147e9afc4cf76ad8c35b6048a400435ab2deda39f7819
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C6513B53E0FAC52FE321526D9CB54E92FB0EFA266870952BBD0D8C60A3DC08294B5751
                                                                                                                                                                                                                                          Function 00007FFD9B40BF69 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4c8adb846faba2e870da7290d093afa04f896c1facaad74ed8cece1a55fda64d
                                                                                                                                                                                                                                          • Instruction ID: 01f07a1767af871d3b546dcbe86eed002c9d00613257c281701fd44653d1a602
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4c8adb846faba2e870da7290d093afa04f896c1facaad74ed8cece1a55fda64d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DC514D61A4FBCA4FD76787B488355657FB1AF5724470E42EBC0C8CB1E7DA08A80AD312
                                                                                                                                                                                                                                          Function 00007FFD9B404C41 Relevance: .2, Instructions: 200COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 71bdc379500a0b2c388e541e98776b8daf0975f510f60b61a92b0e930e187b82
                                                                                                                                                                                                                                          • Instruction ID: b0f865bcf6f98fe8c68357d474edd8c634edab5c857ee7104c7532df200ad460
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 71bdc379500a0b2c388e541e98776b8daf0975f510f60b61a92b0e930e187b82
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 81512672A0AA8D4FE7A5DBA8D8246A87BF1FF45310F0501FED049DB2A6CE785D81C741
                                                                                                                                                                                                                                          Function 00007FFD9B40CCC7 Relevance: .2, Instructions: 198COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9371c262a4c2ea9576dcddfc3cc8fa60f8ef596dcf687deffa2cf93c46a2dc53
                                                                                                                                                                                                                                          • Instruction ID: 71bd7820aba5ee9f2a75911c0992b78d6d513c75ca43b7ddf54f544f97f3feed
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9371c262a4c2ea9576dcddfc3cc8fa60f8ef596dcf687deffa2cf93c46a2dc53
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0515B32F4E95E8BE765B7ADA4254F97BD0EF84325B0601BBD09DC70E3CE5868818380
                                                                                                                                                                                                                                          Function 00007FFD9B40A860 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c6c61d5605fa5bbccdd402c4189d7a39ec7ef1d28e651c9846be4df824581752
                                                                                                                                                                                                                                          • Instruction ID: 732b1f52aef91147415e455ee9f079448a0c5d49250b7151e3e3d278778566c4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c6c61d5605fa5bbccdd402c4189d7a39ec7ef1d28e651c9846be4df824581752
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB51D603F1F99E0AFB7573ECA4714F87B61AF51368B0A47B7D0DC460E79C482A466291
                                                                                                                                                                                                                                          Function 00007FFD9B613C2C Relevance: .2, Instructions: 189COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 92660948bda4d2e4fc196f728a5e0e6e899840a9246568af5bd8b65d8b95013c
                                                                                                                                                                                                                                          • Instruction ID: 188d6539a0e0cbb61e5758a4693511eceb34e6fe260ff7c85681518c562e4117
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 92660948bda4d2e4fc196f728a5e0e6e899840a9246568af5bd8b65d8b95013c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15514761B0F6CA2FE7B9C6684465664BFD1EF81250F0914FDD09ECF1B3CA18B9098341
                                                                                                                                                                                                                                          Function 00007FFD9B40A868 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 749b93da82c1c5ab5950bf943af593d8ed540c7b015a150f0b2e9686ee52115b
                                                                                                                                                                                                                                          • Instruction ID: 7e3dc95045f600f7658881fdffb8dd2ab3eb2226b8e793323a445406eaa759e7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 749b93da82c1c5ab5950bf943af593d8ed540c7b015a150f0b2e9686ee52115b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0051D503F1F99E0AFB7573ECA4714F87B61AF51368B0A47B7D0DC460E79C482A866281
                                                                                                                                                                                                                                          Function 00007FFD9B61C741 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bed50514944123263ce28de3ad2404c2698e7cfb21b38ad1c928ae91fc19e19
                                                                                                                                                                                                                                          • Instruction ID: c03210fecd933fa0da0ef37979a12cab73caec1861aa425402ab3c0a96c12300
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bed50514944123263ce28de3ad2404c2698e7cfb21b38ad1c928ae91fc19e19
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4B513B61B1EA8F4FE7A89B7854E15BD7BE1EF5530070401BAD069CB1E7DE55B9028340
                                                                                                                                                                                                                                          Function 00007FFD9B40ADFA Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 31e34dbc1db6b0f71d7d7f77b164702627840f8df68ba70a545278f0363fd3f0
                                                                                                                                                                                                                                          • Instruction ID: 5c3f8925df6920ed208fba9215de7b294460928ab42d4eae6ed2977f81585450
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 31e34dbc1db6b0f71d7d7f77b164702627840f8df68ba70a545278f0363fd3f0
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3641F922B5EE4E1FD7A4DB6CD4616B973D1FFE4254B4502BAD08DC7296ED18EC024381
                                                                                                                                                                                                                                          Function 00007FFD9B615F14 Relevance: .2, Instructions: 173COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 60aa666ea1d68435ac8d9eaa100cc8e0fc2d855e432c1671e417757f4cf4fb92
                                                                                                                                                                                                                                          • Instruction ID: ab31e0a59803cdb5e64db525fce45d1b0aa7ebf864b0c2d45393d0b9c448abf5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 60aa666ea1d68435ac8d9eaa100cc8e0fc2d855e432c1671e417757f4cf4fb92
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C3410F30B08F0E4FDB68DA5C8429665B7E1FF98310B14427AE899C7265EE24FC028B81
                                                                                                                                                                                                                                          Function 00007FFD9B61066C Relevance: .2, Instructions: 170COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7caa17577cfb85750036e56bf3858120f8e0a559c53a4ef529cdc4cef7ae6cc4
                                                                                                                                                                                                                                          • Instruction ID: 5541f18022ee0bdeb39aaed91dfbffe8f885b4125ab5e8d5e8394d54aff730bf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7caa17577cfb85750036e56bf3858120f8e0a559c53a4ef529cdc4cef7ae6cc4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F412722B2EE8D0BEBA9966C447457976D1EF98B0070601BEE05DC72F7DD14BC02C391
                                                                                                                                                                                                                                          Function 00007FFD9B413C30 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4fa7e9b74bf94fb7c74e095d2757acb789881e43f3f00cba2ea1ae877d91b4df
                                                                                                                                                                                                                                          • Instruction ID: 49e01cc53e7e0c51f6c5b579693f65e3290625befe26ad51fc8ecacf377c6e98
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4fa7e9b74bf94fb7c74e095d2757acb789881e43f3f00cba2ea1ae877d91b4df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C410230A1AE0E4FD7659B98C894AA177E4FF69308B55067DD44DC32A6DA35F882CB80
                                                                                                                                                                                                                                          Function 00007FFD9B622EFA Relevance: .2, Instructions: 167COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 29d533b6f53cd30e225603b6ee6704cb843655701b2388995737830f3009ba9e
                                                                                                                                                                                                                                          • Instruction ID: ef4e411453ae70d7a82a1eeec3d942f9a2e4769099f322f9311a179ef88be005
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29d533b6f53cd30e225603b6ee6704cb843655701b2388995737830f3009ba9e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F0510A70A19A0E8FEF94EF5CC495EA93BE1FF68340F050169E41DC72A5CA34E841CB80
                                                                                                                                                                                                                                          Function 00007FFD9B406451 Relevance: .2, Instructions: 165COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c3e4f8b418cfb4c6ea2954c962338a963cbd6d1a25cbea5faa0773f06cc2a57
                                                                                                                                                                                                                                          • Instruction ID: 853a1b31931f0980661f5c32e4544c01af7f78fd674879c72aa98523c705d5db
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c3e4f8b418cfb4c6ea2954c962338a963cbd6d1a25cbea5faa0773f06cc2a57
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 14512D70E0965D8FDBA8DBA4C4647BCB7B1FF15314F5540ADC04EE7292CA386985DB00
                                                                                                                                                                                                                                          Function 00007FFD9B62497F Relevance: .2, Instructions: 163COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6c2e7992b7b404230ed1904e7dd322ebad6c8e8b6fcc0040a5eb3ee4cec52ee9
                                                                                                                                                                                                                                          • Instruction ID: 6fb0d490b3214c0f43ad5552f9eab86940f6a206a1657b90401585cd58657c3a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6c2e7992b7b404230ed1904e7dd322ebad6c8e8b6fcc0040a5eb3ee4cec52ee9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82410422B0EA8E0FFB659B6D44603782BE0EF55344F4605BAD15ECB2AEEC09BD418341
                                                                                                                                                                                                                                          Function 00007FFD9B40F5C4 Relevance: .2, Instructions: 162COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 627277ebbd2fdbcce32c3d067bbeef02896163d8a5d3f450a516b98a8d2d0bc3
                                                                                                                                                                                                                                          • Instruction ID: fd9e01fc73132c55fabb5f7faea3398263a799647d50e9697a4c2728a5dd94fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 627277ebbd2fdbcce32c3d067bbeef02896163d8a5d3f450a516b98a8d2d0bc3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D1515171E1591E8BEBA8DB5CC8A97A873E1EF58350F0001F6E45DD32A6DE356E818B40
                                                                                                                                                                                                                                          Function 00007FFD9B40BB05 Relevance: .2, Instructions: 160COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 51c55af090eea76a52a43d845addfff77afc1981cbc1418a224b7d9bf5663ce2
                                                                                                                                                                                                                                          • Instruction ID: 9f0a1de6c205e1a1dacefad49a4aa127519554a48348f263a259f554fbc9a93a
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 51c55af090eea76a52a43d845addfff77afc1981cbc1418a224b7d9bf5663ce2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 51517171A0F78A5FD3559BB4C4355E8BBA0FF11324F0506FAC0998B1A3EE1C2986D745
                                                                                                                                                                                                                                          Function 00007FFD9B40E150 Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c291d5f4fe755018f2bf4e989c79b5928afb34816b98c67b822a031b5d328755
                                                                                                                                                                                                                                          • Instruction ID: 461611c66b670a3154a4109a043b10d56d9b78969e60a797c707b5f5b582f8cf
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c291d5f4fe755018f2bf4e989c79b5928afb34816b98c67b822a031b5d328755
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 43414931B0890A4FE398EB7C847967977D2EF99350B4541BED09EC72E7DD2C68428741
                                                                                                                                                                                                                                          Function 00007FFD9B405758 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8087adada6dbdaeb2ca8aa05f4b0c1a98766f6270355b7e0ae4b5482c96e799d
                                                                                                                                                                                                                                          • Instruction ID: 382eab8f3e6b50b76d0959c7f19736e892367af7edbd47beb033689570d0ff25
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8087adada6dbdaeb2ca8aa05f4b0c1a98766f6270355b7e0ae4b5482c96e799d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CE41D271A0E64D8FDB64DFA8D8616FDBBB0FF46314F15007AD489E72A2CA785841D700
                                                                                                                                                                                                                                          Function 00007FFD9B40A010 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fdff727380a445e60cf0c777cdd5a6a144b735eebcacb7c0a66372952e11cebb
                                                                                                                                                                                                                                          • Instruction ID: eabe28abf0a09bc537708c3551c6383dfb419d1b2cc7e8b3e5b9ac9dcc531154
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdff727380a445e60cf0c777cdd5a6a144b735eebcacb7c0a66372952e11cebb
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D741D531B1DA4A8FDBA5EB6CC064EB277D1EF64304B1545B9D08EC72A6CE28F845DB40
                                                                                                                                                                                                                                          Function 00007FFD9B40EA2D Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ea7513e6165c2a06ac30288b0a2733ee01974b97140fa497fb359e089d833a56
                                                                                                                                                                                                                                          • Instruction ID: e3662e44cc3fceca49bd54c2d50ee035f2005ff9daab57c850c49f5d3773c297
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ea7513e6165c2a06ac30288b0a2733ee01974b97140fa497fb359e089d833a56
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2F41E932F195594BE754F76CE8665F977A0FF41329F0402B7D04DC61A3DE2429868B81
                                                                                                                                                                                                                                          Function 00007FFD9B410220 Relevance: .1, Instructions: 143COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a0809992c36e3575294b8c27bfa1377436f67de7196c75a406cc4caff26a83ec
                                                                                                                                                                                                                                          • Instruction ID: 4f0666c1192de76c6b0d9864549837b75de3d1b235b346f83250ed0ae9258f8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a0809992c36e3575294b8c27bfa1377436f67de7196c75a406cc4caff26a83ec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EA418231F19A0D4FDBA8DF5884656BA37D1FFA8318F11017AE41DD3295CE34E9028781
                                                                                                                                                                                                                                          Function 00007FFD9B412CA8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: be1a4af5954898aba9bcfed5375d140a760a3eef6c142079cd28cf37144359af
                                                                                                                                                                                                                                          • Instruction ID: 50e65e7f0f2522f7d4b7c5e80579f1f2f4df25bc9456fb9e2483a61d0719c992
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: be1a4af5954898aba9bcfed5375d140a760a3eef6c142079cd28cf37144359af
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D314DA2F19D5D0FE7E4A66C9C292BA33D0EF98354F05057BE88DC62A1FE589D424341
                                                                                                                                                                                                                                          Function 00007FFD9B4035C7 Relevance: .1, Instructions: 139COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bce68e0fc56d9da11a75cf45d76c5ae0c8d4dedfdf9a9983edac7dab91007493
                                                                                                                                                                                                                                          • Instruction ID: 1166668a5896664079a1def197ba43d9e9ee877d7556d1e6b4a43bf951391237
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bce68e0fc56d9da11a75cf45d76c5ae0c8d4dedfdf9a9983edac7dab91007493
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B7411A71A4A68E5FD365DBB8C4695A9BFE0EF46234B1401FEC049DB2F2DA5C1D81CB01
                                                                                                                                                                                                                                          Function 00007FFD9B40405D Relevance: .1, Instructions: 138COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ae046a7c9b853f0ced65d3646d2dc5b8fc35b45236ef87ae5d31a23b3a77df86
                                                                                                                                                                                                                                          • Instruction ID: 7831c5a95ca10899eff5ec136002ef29b5ecba2b65fb505d905a892cb0cbe109
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ae046a7c9b853f0ced65d3646d2dc5b8fc35b45236ef87ae5d31a23b3a77df86
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AD41F770E0A65D4FEB64DAA4C86A6FC7BF0EF54314F44027ED099971E1CE382546DB81
                                                                                                                                                                                                                                          Function 00007FFD9B6101AD Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c8009e70a6ed59a2f0df82328eb0718223092480b6364eef4aa80db79205e48f
                                                                                                                                                                                                                                          • Instruction ID: d53474ddf7c4e1cd983555ddb3360fe660afdc7d429eaf4d373b6d96e7bb24a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8009e70a6ed59a2f0df82328eb0718223092480b6364eef4aa80db79205e48f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B317C22B0FECD0FDBAA977C58356A477D0EF8570074901BAD099CB1A2DD19B9028341
                                                                                                                                                                                                                                          Function 00007FFD9B61C9F9 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e8aff85b9dcc2883b2a64244a37f244996be2d5ba6c9f93e045094a45734e4c3
                                                                                                                                                                                                                                          • Instruction ID: 6a6abe5bdb2db95e0145e8c07ae9d7fef0cac757e74797a6d292b68d9b387f63
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8aff85b9dcc2883b2a64244a37f244996be2d5ba6c9f93e045094a45734e4c3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8A41313064F68A4FD756EBB888A5A667BF0EF42314F0904FAC058CF0A3D629B941C791
                                                                                                                                                                                                                                          Function 00007FFD9B6218F5 Relevance: .1, Instructions: 130COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dfc4213be311d251db069b1094140f5b11e8b55be1b543ec66c7cb2dace6bf4c
                                                                                                                                                                                                                                          • Instruction ID: 6ce7764b916a02c695db4736a88c0dba9b91b3d119c22ee404d107bcd4e394fc
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dfc4213be311d251db069b1094140f5b11e8b55be1b543ec66c7cb2dace6bf4c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7E31B620B0EB5C4FEB64975C986677677D1EF99720F0502AEE48DC72A2CA14BD4183C2
                                                                                                                                                                                                                                          Function 00007FFD9B40852F Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cc53e0115273b4cc7d13aa737ec3f6a6798309732cc80ba9ec5b66c8f199fd90
                                                                                                                                                                                                                                          • Instruction ID: 82c43251e90ac45445eae7c1feaf42891414619dc87b3740c82d7ea9636b64d8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cc53e0115273b4cc7d13aa737ec3f6a6798309732cc80ba9ec5b66c8f199fd90
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9841D27190AA4D9FDB55EBA8C8556EDBBF0FF19320F0401BED089DB1A2DB381582CB01
                                                                                                                                                                                                                                          Function 00007FFD9B40BCA5 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 90ffa28aa697d8a4412399a8af9a7f6f53b4f03ecd69c42637451d78e6e85b98
                                                                                                                                                                                                                                          • Instruction ID: b1a99469e4b3d84ef58d9dc233ec68ceb23b1d460d81103b39584bbc9fa02e01
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 90ffa28aa697d8a4412399a8af9a7f6f53b4f03ecd69c42637451d78e6e85b98
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 66419421F29A0D8BEB90EBD8D855BACB3A2FF98320F104275D459D72E6DE286C418741
                                                                                                                                                                                                                                          Function 00007FFD9B413E77 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 980b6894e01e94ff37398c1f5ad5f6bf3aa12524926b78535eb7feb6604f440a
                                                                                                                                                                                                                                          • Instruction ID: 5eb1a7d53771450db397a1ee12f4f802d9998203951ec076afc719ebbc3fe9dd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 980b6894e01e94ff37398c1f5ad5f6bf3aa12524926b78535eb7feb6604f440a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 59310532B1D9280FE728AA5CE8665B573D0EF98765B0502BBE48DC72A6CD156C4642C2
                                                                                                                                                                                                                                          Function 00007FFD9B403C93 Relevance: .1, Instructions: 124COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a716f3e01922150fc5d6a040f1c8d72e5044be802f439df0726264753b3fbd58
                                                                                                                                                                                                                                          • Instruction ID: e83e0d2b504053a90c5ee006af26657b85dd8d99db9ff882630c481d0b3a8e38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a716f3e01922150fc5d6a040f1c8d72e5044be802f439df0726264753b3fbd58
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4415E71E1E64D8FDB64DB94D8615FCBBF1FF49314F51017AD04AA72A2CA382940DB40
                                                                                                                                                                                                                                          Function 00007FFD9B61C615 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: c8f2df49e7c5f9e5362c5cb2876b536cf3547bb823f35c42d8fcced8c6ae656a
                                                                                                                                                                                                                                          • Instruction ID: d11bfe1fbab33a1eea8d24adc673178d9a594f3d6acdfffac5678390cdfb1a2b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: c8f2df49e7c5f9e5362c5cb2876b536cf3547bb823f35c42d8fcced8c6ae656a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7B3118A1B1AE4F4FE7AD97A840B567D67E1EFA4340B4511B9E029CF1E6DE18FD018280
                                                                                                                                                                                                                                          Function 00007FFD9B410258 Relevance: .1, Instructions: 119COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8d2ebbac83bb34b8cfcf2f396e21047a5049663f015f8a8498657c2f3203303a
                                                                                                                                                                                                                                          • Instruction ID: 80cfed65f5b4422af6832ebd1167de5e08e934106bce08d125a7d3737dc6a9d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8d2ebbac83bb34b8cfcf2f396e21047a5049663f015f8a8498657c2f3203303a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: EE313971F1DA494FE7A0C6589494676B7C1EFB4328F05067BE44CC32B1CA18EA90D386
                                                                                                                                                                                                                                          Function 00007FFD9B414018 Relevance: .1, Instructions: 115COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 54c8138f6a109b29f0d1e13596f5aa9e25d9a9c5465f4916d9f7788f14c65068
                                                                                                                                                                                                                                          • Instruction ID: 5a117981e2d5d8280e3ca6b72720808548befaf9f68b3ba397d584d9d66ee529
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 54c8138f6a109b29f0d1e13596f5aa9e25d9a9c5465f4916d9f7788f14c65068
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D521D822F1ED4E0FEBE8E65C54B57B923C2EBA8355B40417AD80DC32D5DE15ED029380
                                                                                                                                                                                                                                          Function 00007FFD9B616FB1 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e8693606b6f37d717bdbda0699393a15c921acd264ce6b918b812c4280ea9ef9
                                                                                                                                                                                                                                          • Instruction ID: 1a0113da6e7294111e7f2d29283f160afe635cd65f49bdc7e9612e6716a3e944
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e8693606b6f37d717bdbda0699393a15c921acd264ce6b918b812c4280ea9ef9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E2317CB1B0EA4E4FE7699BA894269B977D1FF40314B5501BDD01A8B0A2DD29BD068380
                                                                                                                                                                                                                                          Function 00007FFD9B41CAE8 Relevance: .1, Instructions: 111COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ccdaab5581828a18867035ce78ce4b3fbe4e511c83ca097d3aaae0af788107b2
                                                                                                                                                                                                                                          • Instruction ID: 7b8525ea3d05076d541a06165599c9ae3a5f4282cacba6a646335401fca1f1c2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccdaab5581828a18867035ce78ce4b3fbe4e511c83ca097d3aaae0af788107b2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 16310B22E4FE8E0FD7A5977848256B57BD1EFA525078945BAD08AC31E6ED1CAC019340
                                                                                                                                                                                                                                          Function 00007FFD9B409D68 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7786967dfcdc9a22e441abdcc7c53c07f58f53af3dd6119083966078997a3ad3
                                                                                                                                                                                                                                          • Instruction ID: 4e0628ad06b84fc527837fba1b5e9c4bd57ecd9551c4b5f5569e25c4db975c79
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7786967dfcdc9a22e441abdcc7c53c07f58f53af3dd6119083966078997a3ad3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8431787254EBC62FD35393B994AD0C5BFE1AF4713436904DEC0C18B466EA9D5C86C342
                                                                                                                                                                                                                                          Function 00007FFD9B403CB7 Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2910af340b825c956113c84d503b13236d1b1730b2f986d711833ea4ac177b22
                                                                                                                                                                                                                                          • Instruction ID: 895993b87ce424be0cb11951ccb617799dd0f5f04436cc3dcde8373b25bfbcc7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2910af340b825c956113c84d503b13236d1b1730b2f986d711833ea4ac177b22
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 40316971E1961D8FDB54DB99D8A56ECBBF1FF58304F40013AE04AE72A1CB386842DB00
                                                                                                                                                                                                                                          Function 00007FFD9B40CD7D Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce6006ef676510b3b4915f1052bb654e43e076b52cd8bdf80ea66b89335f1b26
                                                                                                                                                                                                                                          • Instruction ID: 8c424e76624b7be4735e83b0370f8b5e0ed48137cd46d14c484617b1615e37d7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce6006ef676510b3b4915f1052bb654e43e076b52cd8bdf80ea66b89335f1b26
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 55217837B5D62A9BE31476ADE8150ECB790EF85271706417BC689CB8D3CF28785B82C0
                                                                                                                                                                                                                                          Function 00007FFD9B412B85 Relevance: .1, Instructions: 95COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 737b6650aeea88e66f6f2a78db8f52009efed38452214c5fd3e7cf3e90c90d6b
                                                                                                                                                                                                                                          • Instruction ID: 1bfbda135379ce4011daec09847b8018359bd10aaa3df4690c651091248407c7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 737b6650aeea88e66f6f2a78db8f52009efed38452214c5fd3e7cf3e90c90d6b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 56210B33B4ED491AF6B841ED3C751B46BC1EF9566C70A01BBE04CC71A6DC4A5C82A285
                                                                                                                                                                                                                                          Function 00007FFD9B405201 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ccefa61f4bae3732e7f7eaa8655112ac86c1de71ef7b7ba62f08c2f3e818dc79
                                                                                                                                                                                                                                          • Instruction ID: bd2325d9dee9188bb0e5715000757465a45ffd49c35a5496fd7662ead6acabe9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ccefa61f4bae3732e7f7eaa8655112ac86c1de71ef7b7ba62f08c2f3e818dc79
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8221B171909A4D9FDB44EFA8D8656ED7BF0FFA5310F0400AFD008D72A1DA645881CB81
                                                                                                                                                                                                                                          Function 00007FFD9B6249F3 Relevance: .1, Instructions: 89COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ce6d115eb44cb6aa77b62ccfd4c888c7d0824a347babe2fc66a7608d74fdefd9
                                                                                                                                                                                                                                          • Instruction ID: 5168bd03c45dde2f21eacad96fe3585c01c20d45850523a7ee57a44b8061f42e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ce6d115eb44cb6aa77b62ccfd4c888c7d0824a347babe2fc66a7608d74fdefd9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 5C214622B1EA8E0FF6A497AD246027427C0EB59345F5601BAC16ECB1ADDC09BC024345
                                                                                                                                                                                                                                          Function 00007FFD9B40EAE5 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ff91d3db32332e97438b7b6a4ed87a59f4d1bb09009cb37dce293740088364a5
                                                                                                                                                                                                                                          • Instruction ID: 250d76ebf674451ac9edfe5d7b02205db252d9a7439bb27640f63e20ea763ab6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ff91d3db32332e97438b7b6a4ed87a59f4d1bb09009cb37dce293740088364a5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 63219371E0A68D8FEBA9DB68C8652A877B1FF55304F0101BAD44DC72A2DE342991CB41
                                                                                                                                                                                                                                          Function 00007FFD9B623D81 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a60c62199663a9d5910a6de032a5b1a25efd6868164460d37cde708169dc430d
                                                                                                                                                                                                                                          • Instruction ID: 1d24fc988d9504c2023916fe97a246e52493fa485bc46a43a6797bfc1521dfb1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a60c62199663a9d5910a6de032a5b1a25efd6868164460d37cde708169dc430d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DE21907170EE4C4FE795DB6C98A86643BD1FF5D32071A01EAE49DCB2A2DA11AC41C741
                                                                                                                                                                                                                                          Function 00007FFD9B61711A Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 78c9c611f7cd5dc8eccc3460b16b62139ed4257ecb4737658fb9ed1d103f9eef
                                                                                                                                                                                                                                          • Instruction ID: 2e3c21ab0afe5456413a334b2e47be144e5e82bfbabefb39fa9f12d2443b17bd
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 78c9c611f7cd5dc8eccc3460b16b62139ed4257ecb4737658fb9ed1d103f9eef
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9F213B71B1DA0E4FEB68AEACA4265FD33D1EF54320F0511BAD01DC71A2DD25B9418780
                                                                                                                                                                                                                                          Function 00007FFD9B4089A5 Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a278f4b214864dab89099fe06394cd83aee5133f0065fbb390bd32d1730c49e3
                                                                                                                                                                                                                                          • Instruction ID: 567df0ed882a03248e9ac681d6c04d9deefa9dbd838a6db0db9a83742ba8955b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a278f4b214864dab89099fe06394cd83aee5133f0065fbb390bd32d1730c49e3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BC21053090B68E8FD7749AA4C4106E8BBE0EF42328F1503BDC49C975E1DB785A85DB42
                                                                                                                                                                                                                                          Function 00007FFD9B622A3D Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7f9f8a1c016586d251a243096b584de09e0e53f28d948c81259e1f6a9ff1405c
                                                                                                                                                                                                                                          • Instruction ID: 4f22dd98c49c5d64bffa9954d257eaac26aa7403485448f49a90a0562ace0a1d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7f9f8a1c016586d251a243096b584de09e0e53f28d948c81259e1f6a9ff1405c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6521AA22F0EA9C0FEBA1DBAC58652ED7BE1EF6D315B0601B7D408D71A2DE186C058391
                                                                                                                                                                                                                                          Function 00007FFD9B402E38 Relevance: .1, Instructions: 85COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a6dc7856a17dc792b7e1f58fcd0fc9521aaf748acd6b27a8bd7c78f35905971e
                                                                                                                                                                                                                                          • Instruction ID: a1602bef9ce45b0e1879130caa6f7d7271d4e15847df88ae0a1781aede6f8dac
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a6dc7856a17dc792b7e1f58fcd0fc9521aaf748acd6b27a8bd7c78f35905971e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D021FB32A1E58D6FEB64DFA8C8655E97BE0FF65204F0501B6D88CC71E2DE24AA41C781
                                                                                                                                                                                                                                          Function 00007FFD9B414BD5 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 224e1d167b0889e380d253504ef913b65d4d468bc7dd410249c5c78c242760dc
                                                                                                                                                                                                                                          • Instruction ID: 0317e096128e7633c3f875ac5e8bc215bfe44a74b498f729da66614e4484ce85
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 224e1d167b0889e380d253504ef913b65d4d468bc7dd410249c5c78c242760dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F921B730B1DE8D4FD7A9E758C060A7977E1EF95204B0A40BED08EC72A7DE18B945D741
                                                                                                                                                                                                                                          Function 00007FFD9B40425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                          • Instruction ID: dd2c896943b14e7d12ea5e0b5e646d63b2351e59dc003ed6990f1ed28714d721
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5fd46b3d2e2e111eecc4e39694d559afac3972e450e4c29aa9d8c13c7708307e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BF216F3198E3C94FD32257A0A8225F57F789F03255F1B01EBD088DB4A3C51D5A9AC7A2
                                                                                                                                                                                                                                          Function 00007FFD9B400C58 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 115c43e5528f98271dbe7162c362bb1a7c86673f3b64ba1256710b0cab8a4e27
                                                                                                                                                                                                                                          • Instruction ID: cfdb89863668bbe2fcb17d99f17da69a008dcec9a457bb304c679b046b9f4d8f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 115c43e5528f98271dbe7162c362bb1a7c86673f3b64ba1256710b0cab8a4e27
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0B214B72A0E69E4FD329A778D4225E97B90FF42324F0602BBC049CB5E3DD6C5944C781
                                                                                                                                                                                                                                          Function 00007FFD9B413400 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4bd6627be82e2d8dc0ea7c69afa6aa16b74cc56f0ae22c943bc6887a1b1c690b
                                                                                                                                                                                                                                          • Instruction ID: 9483b0dc850e3a885eb704d889e427428bffe2eee20a91d0e20671383866e75f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4bd6627be82e2d8dc0ea7c69afa6aa16b74cc56f0ae22c943bc6887a1b1c690b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 89118632F1DE0E0FEBE8D65C64656B963C2E7E8269715113BD41DC32A8ED15E9435380
                                                                                                                                                                                                                                          Function 00007FFD9B614655 Relevance: .1, Instructions: 79COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2e8f706d1d96d965d944b9844c98bda317a4467bf8acdf42548108cc5ab714a6
                                                                                                                                                                                                                                          • Instruction ID: 8a94dd53a2793b6a2262048510817bb6dc4050534008a1719554c959dbf289a2
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2e8f706d1d96d965d944b9844c98bda317a4467bf8acdf42548108cc5ab714a6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9C21F03170A9194FD7B5E76C846853937D1EF4A204B5600BED09ECB2A3CE18AD418B81
                                                                                                                                                                                                                                          Function 00007FFD9B61CA20 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ed8f3ed33ac7f8b14b22a0df935ab1a9e874ce6f21bc4e20822845c3defbaa27
                                                                                                                                                                                                                                          • Instruction ID: df0682a9322934eb063ee9d1d1318ba084bb73f933a0992a0110bf7d3d1da6d3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ed8f3ed33ac7f8b14b22a0df935ab1a9e874ce6f21bc4e20822845c3defbaa27
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BA21343024B60D5FD765EBA8C8A9AB677E0EF44324F1805F8D019CF1A6C639BC81C790
                                                                                                                                                                                                                                          Function 00007FFD9B40BCD1 Relevance: .1, Instructions: 78COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 314f8cf3c1708d77430f56c735a152c10fc164b4debfd31cb86981cb9ebdc731
                                                                                                                                                                                                                                          • Instruction ID: d5557a5f533434721167bef9d2cf5cc7692d7b5327655f320a55f76c42411bbe
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 314f8cf3c1708d77430f56c735a152c10fc164b4debfd31cb86981cb9ebdc731
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 98213D61F29A0D8BEB94EBCCC866AACB3B2FF98350F100175D05DD3296DE286C019701
                                                                                                                                                                                                                                          Function 00007FFD9B4160F0 Relevance: .1, Instructions: 77COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d05a1fd88c91a92a1d7aaffae0536a573de1422c8878b63d6ab237126ed25177
                                                                                                                                                                                                                                          • Instruction ID: dcd9040f084c67a54f0ce7e199f3fa525283b2d85fba3bc00caa27ffd8724c2e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d05a1fd88c91a92a1d7aaffae0536a573de1422c8878b63d6ab237126ed25177
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D118222F0FD4D1FE6E484AD3CA51753AC2DBA961971601BBE84CC7277DD62DD418281
                                                                                                                                                                                                                                          Function 00007FFD9B40BE16 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 421fa0c5d4803ce3a38cab4be7cc0c5bb646a0660fa3e9e27108faa52c9ed796
                                                                                                                                                                                                                                          • Instruction ID: f5ea8c96b01c557ef6f4387f101fa6b8dd80705aebaf23123ba7ec3044e76a61
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 421fa0c5d4803ce3a38cab4be7cc0c5bb646a0660fa3e9e27108faa52c9ed796
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2118C62A0EECE0FE7A5976884696F477E1EB7939470900BBC08CC31A3DD1969079380
                                                                                                                                                                                                                                          Function 00007FFD9B40E938 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fe365322fd9f22bac1be3bb5c42d29dd00e0d0f3b5c8db6e182129db3c3c8f80
                                                                                                                                                                                                                                          • Instruction ID: 8905a770b696a4dc50e862eba1a445c099f516a079bba34b9ce8a86319f37ece
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fe365322fd9f22bac1be3bb5c42d29dd00e0d0f3b5c8db6e182129db3c3c8f80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 33216A61B0FBCA5FE361E76C88545A53BD0DF6666470904FED048CF1BAD928DC45C300
                                                                                                                                                                                                                                          Function 00007FFD9B614670 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 445368bf08c928f8448d9559d152204aac585739ae4d4897a55d479782fd5957
                                                                                                                                                                                                                                          • Instruction ID: 805b278ea61e63ff867f6dc3769df58148bf7f2e582d4bd7beaa6300cde748f3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 445368bf08c928f8448d9559d152204aac585739ae4d4897a55d479782fd5957
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB11A33170681D8FD6B4EB5CC468A7A32D5FF89304B52147DE09EC72B2DE14AD418B80
                                                                                                                                                                                                                                          Function 00007FFD9B40CEAE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5dd0f0bde13db250c0e16cc57e52f3a63236f0daf2ed4f8b309709a40c020302
                                                                                                                                                                                                                                          • Instruction ID: 647a6aa80a2bc0843fff4381c9731305642782da711bef5c71cfd9a848e0414d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5dd0f0bde13db250c0e16cc57e52f3a63236f0daf2ed4f8b309709a40c020302
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D5112531B5D91D9FD768EB5CE86656C77E1FF98711B0101AAE04DC32A7CE20AC0297C1
                                                                                                                                                                                                                                          Function 00007FFD9B407140 Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1e03742ad9a6d7535ec5affbaee10c79de4c9396595f9f98e425bd472f8b3b4b
                                                                                                                                                                                                                                          • Instruction ID: a9c527dcbb02aecd4739b5b02b85b6b05e9eab97fe03caea9eea7f1d3dfe7d9d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1e03742ad9a6d7535ec5affbaee10c79de4c9396595f9f98e425bd472f8b3b4b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94118071A5EA496FE3689A7C881D47E7BD0EF55265B05057FF046C71A3DE2818468380
                                                                                                                                                                                                                                          Function 00007FFD9B610D58 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d31841564383f7536859a9a1428daa463fcc20e2482fade55dcf3383d7c26708
                                                                                                                                                                                                                                          • Instruction ID: 9ef4bc83b6a088373848f7eb19f9df578344d118dda8d3f5dd543184afbd072f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d31841564383f7536859a9a1428daa463fcc20e2482fade55dcf3383d7c26708
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7901D222F1FE0D1BEBA89AAD58B05347382EB9861474901BEE41DC72A7DD55FC418385
                                                                                                                                                                                                                                          Function 00007FFD9B405C19 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f54a145e08291a78111fc747ac67272e8f9aeef994245b3fa2ce40df0895538c
                                                                                                                                                                                                                                          • Instruction ID: 3a8b21f8a6685567f7fc172220a94523ecba7929d7b84d32acd2bb2460121592
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f54a145e08291a78111fc747ac67272e8f9aeef994245b3fa2ce40df0895538c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 0E118E7094A7899FD756DBB488692DDBFE0EF16324B2808EDC085DB1A2C6BD4885CB00
                                                                                                                                                                                                                                          Function 00007FFD9B404F99 Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0238a77df36d65493232c710bc2f1d619abdf1ead910d02750ce4805e295b06a
                                                                                                                                                                                                                                          • Instruction ID: 3ebb9972448e466bda063342860f98e675254e1cedbae2c532f04f209dc97c15
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0238a77df36d65493232c710bc2f1d619abdf1ead910d02750ce4805e295b06a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D0119161A4FA8E4FE760AAE4C4397B9B7E0EF06354F411579D489871E3CE6C2940AA81
                                                                                                                                                                                                                                          Function 00007FFD9B6246F5 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 509ac620abc72f424378d0148a02536125c91755d2bc7cabb8330b5bcd15365b
                                                                                                                                                                                                                                          • Instruction ID: 2cded7555280d5294be0a9816c54fa25233d2da281fcba24de3f3079e4779c05
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 509ac620abc72f424378d0148a02536125c91755d2bc7cabb8330b5bcd15365b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BE01F73160CE1D8FCB54EA1DC194E7537E0EF5830134504EED49ACF6B2CA28E9858751
                                                                                                                                                                                                                                          Function 00007FFD9B404F73 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07682be7bebef973ab903237121ed43c139bd24abee0aab7b11c34cedc048231
                                                                                                                                                                                                                                          • Instruction ID: ce518c4f7aa64286e587c73362347b25431cd59655d2d38aef0bfa39cce5111b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07682be7bebef973ab903237121ed43c139bd24abee0aab7b11c34cedc048231
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 7A11C421A5F78E4FE3659FA4C8296B8BBA0EF06318F4504BDD089871B3CE5D2904A640
                                                                                                                                                                                                                                          Function 00007FFD9B40748A Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a7da2c00c7247d71f545a09d540ca3da1bba54e60845ada272ee44ecdef63314
                                                                                                                                                                                                                                          • Instruction ID: 834b025cc9507b0e3a69f7a67af0d26e756611a971ca069592541a78a61ef27b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a7da2c00c7247d71f545a09d540ca3da1bba54e60845ada272ee44ecdef63314
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3511C231E09A1D8FDFA8DF98C4A56ACB7B1FF59304F4111AAC04DE7252CA346A81DB40
                                                                                                                                                                                                                                          Function 00007FFD9B6189DE Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: a003424ae3c2df207f024b2465e11bb7a84081e88cc84837d1eca65c77101018
                                                                                                                                                                                                                                          • Instruction ID: b6a1593446c7a70ed86aae816fa6c86c880f5bf05a9a3a11c7d7f61bc5cda303
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: a003424ae3c2df207f024b2465e11bb7a84081e88cc84837d1eca65c77101018
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: AC01D832F0D90E4FEBA4EA5C98A1AA873E2FB94350F1541B6D01DC7295DE24BC828741
                                                                                                                                                                                                                                          Function 00007FFD9B40A690 Relevance: .1, Instructions: 57COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bd537e2ea38e8d3a67a23f93d9f6f72c693e51c4cb3fee938c1a23bcff12aed9
                                                                                                                                                                                                                                          • Instruction ID: ebeb6e3fb6411d515a4d35fd06f02229ceef832a1ffd9e91e7d02f21b4d4b7e5
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bd537e2ea38e8d3a67a23f93d9f6f72c693e51c4cb3fee938c1a23bcff12aed9
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: E801F431B0980D0FE7E4EA9CE854B7633D2EB98328F41027AE48CC32A6ED15EC019381
                                                                                                                                                                                                                                          Function 00007FFD9B405E82 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 66234b1174dd303a67268b4a4df0931da1c2ca09b057e5df8e2aeacfb07c10cd
                                                                                                                                                                                                                                          • Instruction ID: d8abfe10d6ddcc427f58549ee07e0612a7119eccf8f87277402873aaa029a0fb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 66234b1174dd303a67268b4a4df0931da1c2ca09b057e5df8e2aeacfb07c10cd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D811AC70E1974D9FDB11DFA8C4966ACBBF0FF15310F4401AAD085DB2A2CA38A842CB81
                                                                                                                                                                                                                                          Function 00007FFD9B61C804 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1ee8d3e02d17d9ce43ba70ec2622f75259e2d0b123c30915fe6af67e19084305
                                                                                                                                                                                                                                          • Instruction ID: 81a43bc163a60cf21dfa6622281e04a5f19c8ab37ede8ba095428645176dc63f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1ee8d3e02d17d9ce43ba70ec2622f75259e2d0b123c30915fe6af67e19084305
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CFF0F6A3B6EE4E1AE6A8955C38A60FC63C1DB45670705427BD55ACA5D6DC06780341C4
                                                                                                                                                                                                                                          Function 00007FFD9B40BEB7 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7cfae748dc046e8718811b4bf5a53038ec9c5afd2bd1e497d445f7db2aa87f16
                                                                                                                                                                                                                                          • Instruction ID: ea6d54fd077f64f850eddd73a93b14eb1545a2f5e843d0e3c96494744003a320
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7cfae748dc046e8718811b4bf5a53038ec9c5afd2bd1e497d445f7db2aa87f16
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F1012B21B0EE8A0FD7759BA864A55757BE0DB95210B0506BBC08AC3196DD6C6C458341
                                                                                                                                                                                                                                          Function 00007FFD9B40BD9C Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 91d8223066b2c7e228fbe2575c761da2812187e357ac5fe31a9dd08e66caa268
                                                                                                                                                                                                                                          • Instruction ID: 1e3c940a2b8bccb6ee039fef9afe15995c38043ec8e6c359169fe3e9ab585a32
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 91d8223066b2c7e228fbe2575c761da2812187e357ac5fe31a9dd08e66caa268
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 31019622E1964D4FDBA4DBDCD8656ACB7E1FF99220F1041B6D449D72E2DD186C42CB00
                                                                                                                                                                                                                                          Function 00007FFD9B40AE30 Relevance: .0, Instructions: 50COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: bac67980cbec73c69af64cd0b97792676025dd653f5960fd2cd7dff5005e8cb6
                                                                                                                                                                                                                                          • Instruction ID: 34f180a6422c3e7352de40b4f4edea87a5cb2b80a23d5b845e9db722358e8f6c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: bac67980cbec73c69af64cd0b97792676025dd653f5960fd2cd7dff5005e8cb6
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4D018631B65E4E4FDBE9EB6CC0A09BA73E1FFA4304B45467AD44DC3199EE65E8418380
                                                                                                                                                                                                                                          Function 00007FFD9B40BF80 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f18fb55f9998a3fd830f9241b00975bfc1750ad817cbfd0df9d176f71eb83977
                                                                                                                                                                                                                                          • Instruction ID: d119528457c40049ff98ee2ce158a92f50e4655117caa90ce814f84f168e322b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f18fb55f9998a3fd830f9241b00975bfc1750ad817cbfd0df9d176f71eb83977
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B4018631B29D4E4FDBA8EB2894609B6B3E1FFA434474446BAD05DC3299EE24E9418741
                                                                                                                                                                                                                                          Function 00007FFD9B413230 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ab03607a7f5d28643d4a12ee22d53a01c67186c1d78da21c3ac15e3322cc43df
                                                                                                                                                                                                                                          • Instruction ID: b6b960f98d0ade6b9d740f6c419df0c9f9d2de2fb26bdcf37b58827934ee9b3c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ab03607a7f5d28643d4a12ee22d53a01c67186c1d78da21c3ac15e3322cc43df
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: F801F530E09B084FD7A4EB6880196AA7BE1EFD5314F04093EE489C3370DA3895418741
                                                                                                                                                                                                                                          Function 00007FFD9B404228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                          • Instruction ID: fdb7f3e38150d855e5903a7604696fcef67bf0a5639adb1d938d7faf52de820f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 936102325533882fec8c753b90c3036a3a3aecd3aad08961d19027e36d1cd2de
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4FF0F035E4950C8BEB20AED4F4003F8F7B8EB82398F01203EC00CA7150D73A9A95CB88
                                                                                                                                                                                                                                          Function 00007FFD9B408A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                          • Instruction ID: b39db637650e3855b57eb962169927dd0244cd9781dcc1fd61da44da65d11a1f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 560904fe4729301fea7cf8d807c215f6fead7ad01e77a6cdbebb984286c656c5
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 23F02B35E4A50D4BD7309E94E4002F9F7B4EF42314F01113AC04CE7150D73AD695DB45
                                                                                                                                                                                                                                          Function 00007FFD9B61DDB1 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0ba6f3dd9113c82705c70d680bcbddc28d42d343a096c5a4118a9279a816e576
                                                                                                                                                                                                                                          • Instruction ID: 9ecd82ecb199dc3b2143953d2127864b6bac56b61436d23f1b24d60e7ca6a04c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0ba6f3dd9113c82705c70d680bcbddc28d42d343a096c5a4118a9279a816e576
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 22018F72E0A80D8AEB94EAA8E4658FDB7B0EF58350F00117AE01DE7195DF253540C740
                                                                                                                                                                                                                                          Function 00007FFD9B405EF3 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4878799bc72a56373053fd46622afe2d9344ff046e824ddbde5aaca9a4a86756
                                                                                                                                                                                                                                          • Instruction ID: e6da45c04eab87ddd33232f37dcfb6544951b7620aa0fa1a001a196508f51b8c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4878799bc72a56373053fd46622afe2d9344ff046e824ddbde5aaca9a4a86756
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 29016571E0061C8FDB98DE98D8A06EDB7B1EF88310F40412AD459EB294CA38A882CF40
                                                                                                                                                                                                                                          Function 00007FFD9B404B89 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8dbfdc4eefd1a047f876fa3e52882032c66130ecde1bcf4fa0e164adbad24d06
                                                                                                                                                                                                                                          • Instruction ID: 516afa2984be0fd1792177c56f2309552216d46069dbf4d0ac47c5ff60a12b6f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8dbfdc4eefd1a047f876fa3e52882032c66130ecde1bcf4fa0e164adbad24d06
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C001F76194E6CD5FD7519B6488652E87FB0EF05210F4605FBD099CB0A3E92819448742
                                                                                                                                                                                                                                          Function 00007FFD9B4025AB Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 4388ad000c057bcf26247db478f7b341e8bfbadcefaaacead5713608f1dafafd
                                                                                                                                                                                                                                          • Instruction ID: dde42162bb1ce4fde2b6861d51dcec47fdbbbaff37eb9fc9a66789932bbb82a8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 4388ad000c057bcf26247db478f7b341e8bfbadcefaaacead5713608f1dafafd
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9011A31A1851D8EDBA4EB58D898BE9B3B1EB98300F0002E6D04CE3191DE346D81CF00
                                                                                                                                                                                                                                          Function 00007FFD9B409E95 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9ec840d62145f6a7834efc5a44715dd791baa42ff32480814febf1c98155f8d2
                                                                                                                                                                                                                                          • Instruction ID: 1e7940711c640153d26cfba3ed571d545cc6e231518f5ad0c29cf0ee20ea492f
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ec840d62145f6a7834efc5a44715dd791baa42ff32480814febf1c98155f8d2
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1BF0E252F0FE8E1FE7A2926C58781A81BC2DBA512474A01B3C4C8C72E3EC0D5D4243D1
                                                                                                                                                                                                                                          Function 00007FFD9B414121 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9ec61d5af668ff5d80255280d493f755a3df0fd601004e2394a2abd0b532233f
                                                                                                                                                                                                                                          • Instruction ID: b054f247f375db6b1f5c29bce49f2c5b340ffdcf806edd206798469fdfb2a0f0
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9ec61d5af668ff5d80255280d493f755a3df0fd601004e2394a2abd0b532233f
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91F0F662A4E6CD1FE7B1866894753E13BA0EFA2310F0501FBD08CD6193EE241A058B80
                                                                                                                                                                                                                                          Function 00007FFD9B40AF99 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: f93f59ee9d3007f5de0f31a7b204f5c76d48def423f40db8f968df70d87b36b8
                                                                                                                                                                                                                                          • Instruction ID: 767601adc59a83c63e5310ddaa3a75ee0b73c1ed26ce22df50808a9220aebb1e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: f93f59ee9d3007f5de0f31a7b204f5c76d48def423f40db8f968df70d87b36b8
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: CB01D17091DBCD4FDB46DF6888680AD7FF0FF15200B0504EBD458C71A2DA754914C741
                                                                                                                                                                                                                                          Function 00007FFD9B404B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 12e4ed35e0b16cdeef6e11579bea7ad3fa1ba7ce7dab8e8e13c1cde963ccaa04
                                                                                                                                                                                                                                          • Instruction ID: 39a8e3bc549c7f6e68f2b29e648992a15ffc432a91c4a00b7bb4072ac38839bb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 12e4ed35e0b16cdeef6e11579bea7ad3fa1ba7ce7dab8e8e13c1cde963ccaa04
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3C01D130A0A68D8FDB54EF24C8612E97BB1FF55304F0208BEE44CC7692DA79E950CB80
                                                                                                                                                                                                                                          Function 00007FFD9B414F25 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 914b7fcf67cab3e2452f39d41822a855da56fea9adecde21b04ac140e5272142
                                                                                                                                                                                                                                          • Instruction ID: d1f1d6355a8d3581b3fb4e0192cc94889d850019f204b0fad2c6f438999f0795
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 914b7fcf67cab3e2452f39d41822a855da56fea9adecde21b04ac140e5272142
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FDF05931E1EA4F0FD364D76CC4646A077D0FF18310B4912BAD448C73A6EF18E9918B80
                                                                                                                                                                                                                                          Function 00007FFD9B404DD6 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 8af4068564332796c9bef8d05542c6b573f153d86c35b5c528fb9c91aa66a878
                                                                                                                                                                                                                                          • Instruction ID: a86dee69387ff892d02b1a86c913820a6df639592bb3d1ffba998c26de85fac8
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 8af4068564332796c9bef8d05542c6b573f153d86c35b5c528fb9c91aa66a878
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 3801FB31E0590D8FEBA4EB68D8A0BACB7B2EF54304F5081B9D04DE3299CE756981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B410B02 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9cb550c478d965189098478661bb0faf7288ee538d34fc373cfb7e569959f5b3
                                                                                                                                                                                                                                          • Instruction ID: aef8977375fdb99cd69fffedb59d2133337e1acf3f5cd77455d4ae16df1892e4
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9cb550c478d965189098478661bb0faf7288ee538d34fc373cfb7e569959f5b3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2EF02821A0E6CE0FD36697BC94245A07BF1EF55304B0E45F6C488CB2A7DA1CE984C351
                                                                                                                                                                                                                                          Function 00007FFD9B403B3E Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 534db486c6082f108166e2932432de0adfa8b6d9b13918c7728f709ebb838dec
                                                                                                                                                                                                                                          • Instruction ID: df12d78cd49ece32f7ab4a16f7f861074b1f3f927101fc41932b25e1e9a6898e
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 534db486c6082f108166e2932432de0adfa8b6d9b13918c7728f709ebb838dec
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 97F090B5E0951DAFDF60DBE8E4201FCBBF0EF68325B1002A7D548E7252DB3855419B40
                                                                                                                                                                                                                                          Function 00007FFD9B403E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                          • Instruction ID: 6b9f8cfa6d791b655639fdb9649c328bb327d4f5d610009ae9966189bd56b7e3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 9fe599ef726663b6b1b7f9810624c61a2d58fd64849007456d30eb4975d6d2f4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: C2F08C30D0560C8BD7209EA5E0003F9F7B4EB4A309F411139D44CA2190C77A9695CF54
                                                                                                                                                                                                                                          Function 00007FFD9B412DE5 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 29865331f385b586f936ca432a8df256dbf2762d53b6b7534fe12cd3b4ccf378
                                                                                                                                                                                                                                          • Instruction ID: c00a74d6b04cb64ba4289152142aa2be2a97cba00ffabe4da88f9bf8fd4da7c9
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 29865331f385b586f936ca432a8df256dbf2762d53b6b7534fe12cd3b4ccf378
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: D3F02731F5AD0D4BDAA9A22C50B4BBA23D2EBA4350F45003AD44EC22D6DD58A9829380
                                                                                                                                                                                                                                          Function 00007FFD9B405038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b1098517eb559e6058f69fccbf1276ee0a37d470e02783cefe48567a55a5fe88
                                                                                                                                                                                                                                          • Instruction ID: 7f5f576cdc0fd75a644488a8c9792cb38e6eeade192a530c65a1879349efbea6
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b1098517eb559e6058f69fccbf1276ee0a37d470e02783cefe48567a55a5fe88
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: DEF01D71F0592D8EDBA4EE58D8A0AFDB3B1EF45214F4041B6D05DD3295CE3569418B41
                                                                                                                                                                                                                                          Function 00007FFD9B408691 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                          • Instruction ID: 9006bfb8fdfbb780c3a56c9607ee93da95f956791e28ef02eacdbb64ca64b906
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 75e191324d4aaea9975794b0f3cb10e2f049cd143d3aa1f67be70c2cdda150e3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9EF0E530C4660D8FC7249E94E4403FDB3B4FB0A309F412539D04CA3190C7BA9794CB44
                                                                                                                                                                                                                                          Function 00007FFD9B405E26 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1db229cc98cbb84a96756056a4acc9889e246b217556271f681678ea2f53f143
                                                                                                                                                                                                                                          • Instruction ID: e637f86e48a83f346b01b4e8c67065f0356e663246a9e8b034a8c1f200f2c7e1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1db229cc98cbb84a96756056a4acc9889e246b217556271f681678ea2f53f143
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: FCF0F670A0DBCE5FCB51DB78842A699BBF0EF12360F1401EEC04DC7152DA389882CB40
                                                                                                                                                                                                                                          Function 00007FFD9B405DC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0c506cb8342efe5e31f8fd9e7ce01cbcb54bcd32cd0bc7e9a03be0604142cb05
                                                                                                                                                                                                                                          • Instruction ID: e97bcc668f584feaec5d296da90555a4aaa2f70590d05a836c8cea33d7f446f1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0c506cb8342efe5e31f8fd9e7ce01cbcb54bcd32cd0bc7e9a03be0604142cb05
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9B01AF7090978D9FDB51EFB8C85669CBBF0FF15310F5000AAC489DB252CA386881CB41
                                                                                                                                                                                                                                          Function 00007FFD9B408C9F Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2c895759c8e6777489889b127dd8458b6ab7248a08943b8cf125984dd14313dc
                                                                                                                                                                                                                                          • Instruction ID: cb03b5c50524a5a9cf9a776430a25be5f3a16f5b656676a656276eba397c88a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2c895759c8e6777489889b127dd8458b6ab7248a08943b8cf125984dd14313dc
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42F08931D4F64D8FF7119AA095106BCFBB89F17214F4620B9C045671A2C67E5D84D725
                                                                                                                                                                                                                                          Function 00007FFD9B6101D0 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0f5377fe075f4ccfe13a86010d5167f85125412a84ad51c9810a5f64442fd83b
                                                                                                                                                                                                                                          • Instruction ID: 65e5cb9ec0cae172366381e7c5c8cbb82e6bbe48e66a59610d2c4c79dc28a163
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0f5377fe075f4ccfe13a86010d5167f85125412a84ad51c9810a5f64442fd83b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 4BE02B22B29D4E06CB69A65D14548FAB391EBD43007450276D02AC3198ED68FA014340
                                                                                                                                                                                                                                          Function 00007FFD9B6208D2 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 522a124651fe8dc27575e544755068daaf4efefab834dd43eba818008677eb9c
                                                                                                                                                                                                                                          • Instruction ID: 8f79569c9a029e5e5b29dba19c3caf4c79e46b96edda9a0da9e542726135be5b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 522a124651fe8dc27575e544755068daaf4efefab834dd43eba818008677eb9c
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 8AF03072F0D54D8EEB28DAC8E4920FC77A1FB44320B11103BD16ADB556DA22B593CB89
                                                                                                                                                                                                                                          Function 00007FFD9B613D7C Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 5d15e5566c1fd609dd07228750854435b484c76f4758ece420680a76f88c81e7
                                                                                                                                                                                                                                          • Instruction ID: a57ed519979027d755a5a1df188e520a9d5f7de3c0c7deaed635cedae7ea6897
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 5d15e5566c1fd609dd07228750854435b484c76f4758ece420680a76f88c81e7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 15E0923170D80D8FE6A0D61CE424774B3E2FF98321F1211BAD01ECB265DE25EC014740
                                                                                                                                                                                                                                          Function 00007FFD9B61CBBF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 7c7330e2f1a2cad7a595aa82d581bf5db24834bfc25dff59325fd428d9e7a047
                                                                                                                                                                                                                                          • Instruction ID: 4824b81a0e4508bff2f5a48b733ea4e20b34b21ee3a3ccfd0ccffdff931ebc24
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 7c7330e2f1a2cad7a595aa82d581bf5db24834bfc25dff59325fd428d9e7a047
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A9F0F975E0564E8FCB19DFA4C4618EDB3B1FB49310B11416ED426EB3A0DA38A946CF00
                                                                                                                                                                                                                                          Function 00007FFD9B40BC4A Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 2b2fc70635c8b6021651895eb89b41af992023586bed624ea6e9f916508f881d
                                                                                                                                                                                                                                          • Instruction ID: 4013d15a2b23e18a0c95e33b0c1d864d6f876c26c3e5737609e42e548511430c
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 2b2fc70635c8b6021651895eb89b41af992023586bed624ea6e9f916508f881d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 2CF05475E2550D9BEB98FB98C895DAC73B2FFD8B50F414034E088932A2DE296C019711
                                                                                                                                                                                                                                          Function 00007FFD9B40A0A5 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b3f9520a48c55c4c45c1cfa6f3eb92b3c670ed028f1817f8457ac771090e2c2a
                                                                                                                                                                                                                                          • Instruction ID: 57aeac885fcc8a019fcf213cf89c00d8764feabac8d344f3e80a1f7fbd51b61d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b3f9520a48c55c4c45c1cfa6f3eb92b3c670ed028f1817f8457ac771090e2c2a
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: BAE02B76A5624D57C7546BA5B4209EAB794EB40330B1004FFC16DCB442DE5810514B52
                                                                                                                                                                                                                                          Function 00007FFD9B61A558 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 370995555d86c01a27bdccff6c3ba0b3aa4c22ef5f2873c938cf30462ef1651d
                                                                                                                                                                                                                                          • Instruction ID: f0f871449b846dbec448a0bfd9ca900f950eb7a25db773daacf2f34a409199a7
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 370995555d86c01a27bdccff6c3ba0b3aa4c22ef5f2873c938cf30462ef1651d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 91E02233F2D20E5AFF6489C8B4516FC6390EF01224F00103AE5389B062DD2A78060F80
                                                                                                                                                                                                                                          Function 00007FFD9B40AF5E Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 86f4044e498b8f19af7e27fc65dcfd9a20adba745d3e7c8bf6a6d7b46459afd3
                                                                                                                                                                                                                                          • Instruction ID: c751909c9ea39433c72d50575617d7f5dddb2f466c862e2678933dc6028dc44d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 86f4044e498b8f19af7e27fc65dcfd9a20adba745d3e7c8bf6a6d7b46459afd3
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 94E07D8180F6C80FE72257F84C2A9903F90DF2310070C41FAC0C8CF1A3E40C610A8312
                                                                                                                                                                                                                                          Function 00007FFD9B40A0A8 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: d13808b1fb63197956f4c29a366b76d6d076505d2826f0cf68c3ff633d3b0b35
                                                                                                                                                                                                                                          • Instruction ID: 293b82c0c32e6821fee271b48f8d25a2ed2a228a82dbf7f3e4595bb9491db513
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: d13808b1fb63197956f4c29a366b76d6d076505d2826f0cf68c3ff633d3b0b35
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 69E0D872A5610E5BC7157BE5B4215FAB7A0EF00330B1445FFD07D8B483DEA814904F52
                                                                                                                                                                                                                                          Function 00007FFD9B40CE72 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 07882bc761561e235b50bc3b0881a3cdb69a2a7e5cbe1c825c60b85f195690c7
                                                                                                                                                                                                                                          • Instruction ID: f7f2105c2fffc0f447690db04f1bc6e76b4505374fee574710fe5047757d9009
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 07882bc761561e235b50bc3b0881a3cdb69a2a7e5cbe1c825c60b85f195690c7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 42E0D831B5C7855BD3498A7C5825469B3D1EF88264B14057DE485CB2C3DE2C984A8685
                                                                                                                                                                                                                                          Function 00007FFD9B408075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 1570bbda323a1a0925f0cbdc686e509446c4391dea1180e7f8bf093bbd0103c4
                                                                                                                                                                                                                                          • Instruction ID: 84ccc6725c430d119cca05050a25493db45722b7eb4f1ca7ca3441224b1e3b00
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 1570bbda323a1a0925f0cbdc686e509446c4391dea1180e7f8bf093bbd0103c4
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 64E0E531E0441C8EDB64EB68D8A1BECB7B1FF44205F4040FAE01DE3286CA356981CB40
                                                                                                                                                                                                                                          Function 00007FFD9B40A008 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: cb81517f3585f9106b3bfb45ee0b66b4ff4118743efdbe479ab13aac05dc8037
                                                                                                                                                                                                                                          • Instruction ID: 016ffd984ab1aabebdad4fed9638b5486cae206a644411246b64b8b6d5369a38
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: cb81517f3585f9106b3bfb45ee0b66b4ff4118743efdbe479ab13aac05dc8037
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A0E0C223E0F98D1BF7B49168086927529D1FFA8298B9A06B9E44CD31A6FC193C026380
                                                                                                                                                                                                                                          Function 00007FFD9B403B03 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 6970c807acd4cfcf49c9372bb8b209608bde16449738f6b686e0255418e39b6e
                                                                                                                                                                                                                                          • Instruction ID: 8db86ed2d4a3d16fd13d95f8818659c64310e603e6173659a9912e0228b26262
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 6970c807acd4cfcf49c9372bb8b209608bde16449738f6b686e0255418e39b6e
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 9AE0927090DB896FD741EBB484568DDBFF0AF16220B1804BDC044DB163CA3C98C1CB51
                                                                                                                                                                                                                                          Function 00007FFD9B414190 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: fdd56515fb4258ea0afc7ee09c6705562c037545644a2ff4ac525611b4ff0450
                                                                                                                                                                                                                                          • Instruction ID: 0bb609df6e420d0837c0858c0688edd146d5e4fa98e79c333084cd166e9b4be3
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: fdd56515fb4258ea0afc7ee09c6705562c037545644a2ff4ac525611b4ff0450
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 48E01A70E0541D8AEB68DAA888647ACA3A0FF54344F10017AD00DD3292CF3459028B40
                                                                                                                                                                                                                                          Function 00007FFD9B619CCF Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: ac7f455ce3df45c08ec33010dfece6a82651760e17b825cbc8ca968d212cb275
                                                                                                                                                                                                                                          • Instruction ID: 017340923a64c04df61f13b88ba7aad21eb594682ab45d6df25b310a5d20c9a1
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: ac7f455ce3df45c08ec33010dfece6a82651760e17b825cbc8ca968d212cb275
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 1DC0122774E30A09B218209D3C130F8B3C1C7834706456137D19744692E84B3563008A
                                                                                                                                                                                                                                          Function 00007FFD9B41EE10 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b5266a6107b6cb3dc6a2be668091fdb1ffe1773702606e73689487dd13831c9d
                                                                                                                                                                                                                                          • Instruction ID: 60b7ef37b0665aa51db98c4a08864ca49caf8b9e3a9a1d7673986566266f9605
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b5266a6107b6cb3dc6a2be668091fdb1ffe1773702606e73689487dd13831c9d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 6FE0865058F78E2FDE42BBFC44264863FD05E066A471944E9C049CF1A3E50C488DC301
                                                                                                                                                                                                                                          Function 00007FFD9B613DC2 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2471710479.00007FFD9B610000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B610000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b610000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: b8d84a8f9999780a3624ae0870fe9f46d6549f281416c5d656b4a9526fdebe8d
                                                                                                                                                                                                                                          • Instruction ID: f161994b6e22485698cbcd2859653c1b73a17fc0e4bf9ef477c477cd9eb445eb
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: b8d84a8f9999780a3624ae0870fe9f46d6549f281416c5d656b4a9526fdebe8d
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 82D0A73170D4284FE2A8D61CF411BB4B3D0EB45331F4141B7E49DCA2DACD1A6C464380
                                                                                                                                                                                                                                          Function 00007FFD9B412993 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: dff6f65d9fd4c21f0019841fffdd90868cebfe0c7e6cbfd932157a677b23696b
                                                                                                                                                                                                                                          • Instruction ID: 4cea19e8561cd16ca2bd91566d0ad84d3276e2732c99b0fa59f0abb60e90f37b
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: dff6f65d9fd4c21f0019841fffdd90868cebfe0c7e6cbfd932157a677b23696b
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: B5D05E3060A2404FDB58AE28A080C80B790EF1230835509E8E0148B1E7C92ADC82CB01
                                                                                                                                                                                                                                          Function 00007FFD9B40AB00 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: e07506aa6f7c8ce0f5d5cb6501db43e2b29c9942b33abc45734cafb3f287d010
                                                                                                                                                                                                                                          • Instruction ID: 312a0d8a94de6d5512d2090335a807f67bbd499f496679d31a19ceb61d736ada
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: e07506aa6f7c8ce0f5d5cb6501db43e2b29c9942b33abc45734cafb3f287d010
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 86C08C20A2590D8AC728B76884810187690FF08204FC001F4E44CC2284DA6D91445706
                                                                                                                                                                                                                                          Function 00007FFD9B405D2A Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 0811e2068e954e091e390bba1ea530fb8a367dc6af7497ff210d58e738c61d80
                                                                                                                                                                                                                                          • Instruction ID: 72d971277a48132d29f010c8f933309e988ad47be372aa1da57d9bcccb0b021d
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 0811e2068e954e091e390bba1ea530fb8a367dc6af7497ff210d58e738c61d80
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: 53C04C6690991D4AEB95DA5C889819867A1EF94254B004117D048D2254DF2864015B40
                                                                                                                                                                                                                                          Function 00007FFD9B4081AE Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                          Download Yara Rule
                                                                                                                                                                                                                                          Memory Dump Source
                                                                                                                                                                                                                                          • Source File: 0000000D.00000002.2463589194.00007FFD9B400000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B400000, based on PE: false
                                                                                                                                                                                                                                          Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                          • Snapshot File: hcaresult_13_2_7ffd9b400000_AteraAgent.jbxd
                                                                                                                                                                                                                                          Similarity
                                                                                                                                                                                                                                          • API ID:
                                                                                                                                                                                                                                          • String ID:
                                                                                                                                                                                                                                          • API String ID:
                                                                                                                                                                                                                                          • Opcode ID: 56b10ba1648e5842ae491e23b5a20df9fe10df74d440fdbe426dc638c27d7fb7
                                                                                                                                                                                                                                          • Instruction ID: f9473f2f230061664a73928378309b95b1cde1b1b292c1d459d010090b1297ad
                                                                                                                                                                                                                                          • Opcode Fuzzy Hash: 56b10ba1648e5842ae491e23b5a20df9fe10df74d440fdbe426dc638c27d7fb7
                                                                                                                                                                                                                                          • Instruction Fuzzy Hash: A2C09B7078565D9FC3829AB5543C79577D05B25520B1804EF844DDB2D1D57C4CC64714